I have been using VulnHub to play around with the various vulnerable machine challenges and really enjoy doing so.
The latest one I have tried is ‘Zorz’, This time though I thought it would be good to do a write up and post it here on my blog.
If any of you that are reading this think I could have done things different/quicker/better then please shout up as I am always up for learning!
Zorz by TopHatSec
As with any new test we need to perform a scan to see what we’re dealing with.
Nmap came back with only 2 ports open 80 (HTTP) and 22 (SSH)
Let’s fire up a browser and see what port 80 has to offer us.
So HTTP wise we’re presented with the first Uploader with links to 2 other different uploading scripts. I will take it as these are three different scripts and treat them as three different levels.
Level 1: Uploader!
let’s test the upload function and see how it acts, I uploaded a random image and was given the below information on completion of the upload.
So the file was uploaded successfully with no errors. The information given shows a temporary directory of /tmp/phpaoQPI1.
Surely it can’t be as simple as browsing to that URL to find my uploaded picture?
Thought so, lets try brute forcing the directories on the server to see if anything interesting comes back.
I use two tools for brute forcing directories which are ‘dirb’ and ‘OWASP-DirBuster’
I initially did a dirb scan with no options set and it didn’t find too much, I then used a word-list that I normally use with OWASP’s dirbuster which was too big (Learning all the way eh?)
I had a quick look in /usr/share/dirb/wordlists and decided to go with the ‘big.txt’ list
Interesting it’s found a directory called uploads2. I fire up Firefox and navigate to /uploads2 but my file still isn’t there. Dirb didn’t come back with anything else so let’s try a bit of manually testing. If there is an uploads2 there could be an uploads1.
Bingo!
There is my uploaded file in all it’s glory. Let’s click it to check.
Yup! that’s the image I uploaded (reminds me of a certain infosec guy I know)
I wonder what else we can upload? I downloaded a PHP reverse shell a few weeks ago courtesy of PenTestMonkey over at http://pentestmonkey.net/.
First we need to change the port and IP information within the PHP script.
Let’s put it to the test.
The reverse shell was uploaded without a problem, the upload script had no safety mechanisms in place to make sure that the file uploaded was nothing malicious (such as checking that the file uploaded was actually a certain type of image)
Let’s set up a netcat reverse listener.
Our listener is ready, let’s click the php-reverse-shell.php within the /uploads1 directory. Hopefully the server executes the code within the PHP file and gives us shell goodness.
Jackpot! We now have a shell. On to the treasure!