0

VulnHub: Zorz (Level 1) by TopHatSec

logo-tagline

I have been using VulnHub to play around with the various vulnerable machine challenges and really enjoy doing so.

The latest one I have tried is ‘Zorz’, This time though I thought it would be good to do a write up and post it here on my blog.

If any of you that are reading this think I could have done things different/quicker/better then please shout up as I am always up for learning!

 

Zorz by TopHatSec

As with any new test we need to perform a scan to see what we’re dealing with.

 

Nmap came back with only 2 ports open 80 (HTTP) and 22 (SSH)

Screenshot from 2015-05-07 12:57:33

Let’s fire up a browser and see what port 80 has to offer us.

Screenshot from 2015-05-07 12:57:50Screenshot from 2015-05-07 12:58:03

Screenshot from 2015-05-07 12:58:09So HTTP wise we’re presented with the first Uploader with links to 2 other different uploading scripts.  I will take it as these are three different scripts and treat them as three different levels.

 

Level 1: Uploader!

 

let’s test the upload function and see how it acts, I uploaded a random image and was given the below information on completion of the upload.

Screenshot from 2015-05-07 12:59:11So the file was uploaded successfully with no errors. The information given shows a temporary directory of /tmp/phpaoQPI1.

Surely it can’t be as simple as browsing to that URL to find my uploaded picture?

 

Screenshot from 2015-05-07 14:46:39

 

 

 

 

Thought so, lets try brute forcing the directories on the server to see if anything interesting comes back.

I use two tools for brute forcing directories which are ‘dirb’ and ‘OWASP-DirBuster’

I initially did a dirb scan with no options set and it didn’t find too much, I then used a word-list that I normally use with OWASP’s dirbuster which was too big (Learning all the way eh?)

I had a quick look in /usr/share/dirb/wordlists and decided to go with the ‘big.txt’ list

Screenshot from 2015-05-07 14:06:19

 

Interesting it’s found a directory called uploads2. I fire up Firefox and navigate to /uploads2 but my file still isn’t there. Dirb didn’t come back with anything else so let’s try a bit of manually testing. If there is an uploads2 there could be an uploads1.

Bingo!

Screenshot from 2015-05-07 13:36:35There is my uploaded file in all it’s glory. Let’s click it to check.

Screenshot from 2015-05-07 13:36:40

Yup! that’s the image I uploaded (reminds me of a certain infosec guy I know)

I wonder what else we can upload? I downloaded a PHP reverse shell a few weeks ago courtesy of PenTestMonkey over at http://pentestmonkey.net/.

First we need to change the port and IP information within the PHP script.

Screenshot from 2015-05-07 14:10:11

Let’s put it to the test.

Screenshot from 2015-05-07 14:12:10

The reverse shell was uploaded without a problem, the upload script had no safety mechanisms in place to make sure that the file uploaded was nothing malicious (such as checking that the file uploaded was actually a certain type of image)

Let’s set up a netcat reverse listener.

Screenshot from 2015-05-07 15:22:16

 

Our listener is ready, let’s click the php-reverse-shell.php within the /uploads1 directory. Hopefully the server executes the code within the PHP file and gives us shell goodness.

Screenshot from 2015-05-07 14:12:59

Jackpot! We now have a shell. On to the treasure!

Screenshot from 2015-05-07 15:36:15

Level 1 Completed

James Smith

Security Researcher, Penetration Tester & Linux Advocate

Leave a Reply