Zico2 Walkthrough

Good evening, gents!

Me and one of the guys (H4v0k) decided to tag team a VM this kickass evening to finish our kickass day with some kickass root hax. To follow along, you can download the image from here.

Quick run-down:

  1. Enumeration
  2. Checking for vulnerabilities
  3. Test
  4. Get root

Exploits used:

  1. PHPLiteAdmin v1.9.3
  2. 3.5 Kernel Exploit

As always, I find the target machine on my net and begin to see what kind of services are running.

The port that is interesting to us right now is port 80. So if you go to the address, you are greeted with Zico’s Shop with a pretty slick interface.

As I mentioned previously, I was tag teaming with H4v0k. He spotted an interesting URL in the page source which lead to him finding his LFI vulnerability.

As I was doing my own enumeration, I found the login interface for PHP using dirb.

Fortunately for us, the password to login to phpLiteAdmin was still “admin”. Great success!

The awesome thing about this database is when you create a new database, you can name it with a PHP file extension and insert PHP code in the “Default Value” section of the table. That sounds a bit confusing, so let’s take a look at how to do this visually…

The first thing you do is create a new database named whatever.php; as long as it has the PHP extension. When creating a table, you set the field to whatever value you want with the type being “TEXT” and any type of PHP code you want in the “Default Value” section as such.

All this will do is give you the output of phpinfo(). If you take notice of the path, you will quickly notice that you will not be able to access it via browser because of the path these files are being saved in. This is where H4v0k’s finding comes into play. We will chain the LFI to reach our code. If our theory is correct, we shall be greeted with…the info of phpinfo()…

Very nice!

So what’s next to do?? I couldn’t reliably get code execution through a simple backdoor or whatever. Some output of my commands weren’t being shown. “whoami” showed. “ifconfig” didn’t. wat??

Just because my commands weren’t showing doesn’t mean that it’s a dead end, right?? So I placed a listener on port 80 and did a wget to my machine. It touched me! It touched me so hard. So what next? I created a binary that connects back to me on port 9000.

Next, I created another database to have some PHP code to download the binary from me, chmod it, and then execute it.

So what happened after running that? You got it…SHELL 🙂

Poking around, we know a few things about this OS: it is a 64 bit machine, kernel is running on 3.2, has gcc, and the OS is Ubuntu 12.04.5 LTS. I download Vitaly’s perf_swevent_init local root exploit onto the machine and try to compile it. Unfortunately, I was not able to compile it as cc1 is not thurr. Instead, I download it onto my local machine, compile it, and then transfer it to my target machine. I make it executable and guess what?!

Yesssssss-uhhhhh

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *