Vulnhub zico2: 1 Walkthrough
- by Vince
-
in Blog
-
Hits: 11337
With most things technology, if you don't use it, you lose it. I was once an MSSQL DBA but after taking and passing the certification, I never used it -- and then lost it. I can hack my way around SQL but I wouldn't call myself a database administrator. If you don't want to lose it, keep honing your skills, keep learning new things, and with pentesting, keep popping boxes. You step away from it for just a short period of time and you're rusty.
This is a skill I do not want to lose and that's why I find spare time to get after these boxes appearing on Vulnhub. Practice, practice, practice!
I think some people are going to look at the entry point on this box and think -- "Hey, I know this one...". Yup. I'll just leave it at that because if it's not obvious, you don't know. And if it IS obvious, remember, the first rule of Fight Club...
I don't remember the privilege escalation on the other box so don't take this is a walkthrough on that one. We're working on Zico only here.
Starting off with our Nmap scan:
Checking out the web port:
Admittedly, I don't know a whole lot about Bootstrap but in my limited experience, I haven't found to be an entry... yet?
Firing up Nikto:
I poke through /img but come up empty.
Let's do a quick scan with dirb:
I like the sound of "view.php", let's see if we can get LFI:
Sweet! After poking around with my LFI, I don't really find much of interest. dirb doesn't like it when you feed it really large files so I've broken up my large list into smaller lists and I scripted the enumeration.
Launching my dirb script:
I've cleaned up the noise from the output and what we get are a bunch of things we can look into.
After poking through the various directories, I settle on /dbadmin:
And let's see where this leads us:
Like i said, deja vu.
Guessing at the password... :
https://www.exploit-db.com/exploits/24044/
PHPLiteAdmin 1.9.3 is vulnerable to remote code injection.
[ Side Note: The first time I used this exploit, PHPLiteAdmin was unfamiliar, this exploit didn't make 100% sense to me, and I fumbled around -- eventually getting it to work. In advance of what I'm going to walk through, the key thing is to keep your script small. ]
Before I get to exploiting this vulnerability, I want to check out the users:
Cool! Let's take this over to Hashcat:
You can crack these hashes with rockyou.txt, I just have a bigger list and I instinctively went with it. I delete the pot file and re-ran it with rockyou and both achieve the same outcome.
I play around with these passwords but it did not yield any fruit. Moving back to our obvious vulnerability --
We're going to create a database with the name hack.php:
If you haven't exploited PHPLiteAdmin 1.9.3 previously, you might neglect to change databases. After you hit create, select your database from the list on the upper left under "Change Databases".
We need to create a table with one field:
Now that we have our table, we need to create a field, change the Type to TEXT, and enter our script:
The Default Value box masks part of the string but here's what you're entering into that box:
I've used this script in various ways and sometimes it works with single or double quotes. In a situation like this, I don't want to assume something hasn't changed so I just verify that what I put into the box is what I'm still seeing. Sometimes if it's blind injection, what ends up on the other end is not the same.
Note the path:
Once we enter our script, we need to move to the Insert tab and select insert to enter it into the table:
Again, noting the path and our syntax, all is well:
I don't like performing LFI in the browser, I move to curl:
I'm pretty sure I've used this script with curl in the past but it's complaining: Warning: Binary output can mess up your terminal. Use "--output -"
It forces me to use --output and I output the command to a file. When I cat the output file, I see that I have command execution.
You can use the browser as well, as I said, I just like the command line because if you're forced to enumerate the system, it's much easier from the command line or even a script which I wrote previously.
LFI using the browser:
Same same.
Now that I know I have good command execution, I'm going to feed it this script which you're not going to be able to see once it's in the address bar.
I wrapped it around for easier viewing:
Setting up the handler:
Entering our script into the browser:
Waiting for my shell:
Excellent! We catch our shell and I clean it up.
Let's check out /home:
Joomla configuration file is missing, let's see if we can find the Wordpress configuration file:
We have a config file, let's grab the DB login info:
That looks legit, before I do anything, let's see if this is the actual login info for zico:
Sweet!
Now that I'm logged in as zico, let's check out the .bash_history file:
I cleaned this up a bit but in the end, I decided it made my eyes hurt and I would save that for later if need be.
In the instructions from the author, it said to "enumerate, enumerate, enumerate" which I took to heart. I ran sudo -l and zico has:
zico ALL=(root) NOPASSWD: /bin/tar
zico ALL=(root) NOPASSWD: /usr/bin/zip
I bet that's an avenue and I will probably go back and learn something new but I dig into this box to know exactly what I'm dealing with because wacky sudo mistakes is not how I want to take this box.
Doing what I'm told, I enumerate:
Now that's kind of specific so let's see what Exploit-db can find for us:
Kernel 3.2.0-23 and x64, this seems like a match. [ I bet Dirtycow pops this box too but you're probably tired of seeing me do that. ]
Downloading the exploit, compiling it, and running it:
#rootdance
One more thing left to do:
I liked this box. Even with the sudo mistake that I'm about to learn about, this is a fairly common real world looking box. Albeit, dated but still plenty more like the real world than the CTF style boxes.