cjc.im / posts / ZICO2 VM Walkthrough

Another year, another boot2root VM to play. This time Zico2 from https://www.vulnhub.com/entry/zico2-1,210/

I like these VMs when they have a theme, this one was of a sys admin who was testing some different CMS systems.

As always, start with an nmap scan, we get ports ssh on port 22, a webserver on 80 and 111. As always with a webserver, we fire up dirb against it to see if there is anything interesting sticking around.

We find /dbadmin which is very interesting, and this has a copy of phpliteadmin running which is vulnerable to an issue where you can name the database file whatever you want. See https://www.exploit-db.com/exploits/24044/ for more information on this vulnerability. This means that if we can include the file somehow, we can potentially perform a Local File Include (LFI) and execute some PHP!

Also in the database we see some hashed passwords, which despite not being of any use later, we discover the root password is 34kroot34 with some searching for the hash on Google. This doesn't let us SSH in with it though, denied.

After some poking around on the main page on the webserver we notice this: http://192.168.56.101/view.php?page=tools.html, Looks like an LFI to me! so we do http://192.168.56.101/view.php?page=../../usr/databases/hack.php and we are presented with the phpinfo as per for Proof of Concept linked above. Great! Now, we want something more usable, lets create a really simple PHP shell.

 <?php $output = shell_exec($_GET['x']); echo "<pre>$output</pre>"; ?>

Using that pre output so its easier to read! After some poking around the file sytem with our shell, we issue:

view.pgp?page=../../usr/databases/shell.php&x=ls /home/zico

and discover the wordpress install there, the config files tend to have some credentials in and its always worth noting these down, because people tend to re-use passwords, even through they shouldn't! As we include the file, because it's php it actually gets executed in our shell, so we use grep to actually show the file by getting rid of the opening PHP tags:

view.php?page=../../usr/databases/shell.php&x=grep -v "<?" /home/zico/wordpress/wp-config.php

which gives us some file output, including define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8'); and then in turn allows us to SSH in as zico, great.

Looking at the command history the zico user has been running some commands with sudo, so we check what we can do with sudo -l and we see that we can tar and zip, interesting! After scouring the man pages for both tar and zip, we see zip can run commands to "test" archives, great, so similar to how we have used vim in the past to get a shell, we can do the same here with this gem of a line:

sudo -u root zip todo.zip to_do.txt -T --TT="sh -c /bin/bash"

we are presented with a root shell and thus we are done!

Happy New Year!!!

Tags: infosec