In this post we’re going to finish a quick machine from Vulnhub called Zico2.
As always, let’s start from the usual
From the results, we can see three open ports -
rpcbind. With that information we can continue enumeration on port
80 and scan the website hosted on this machine.
dirb shows interesting directory
dbadmin, let’s take a look at it.
Googling for the name of the service
phpLiteAdmin v1.9.3 returned a default password, with which we can log into the panel.
While looking for information, I’ve noticed a table containg hashes of users.
Being able to crack them, I decided to connect to
ssh, but with no luck.
Moving on with attack, we can use this exploit in order to execute commands. Steps are simple.
- We create a db named “share.php”.
- Now create a new table in this database and insert a text field with the default value:
In addition, in
view.php we have a LFI vulnerability allowing us to view any file in the system.
Now let’s see if our code has executed.
It’s working! Now we can see if
nc is installed in order to execute a reverse shell.
And as it’s installed, let’s prepare the reverse tcp shell.
Now we simply have to get it from our Kali machine and execute it.
Viewing this website just the same way as previously got us a reverse shell.
Now we just have to escalate to another user. I decided to firstly, check out the home directory, which will show what other users are on the system.
That’s a lot of files to look at. Let’s start with
zico user tried different CMSs. We can check what’s inside this directories, starting from Wordpress as it’s the one that I’m most familiar.
We have a password to the database. With that, we can try to log in to
And after checking what commands user is able to execute with
zip commands are available.
Doing another bit of searching I’ve noticed a cool way to execute commands with
tar. Check it out here.