Zipper - Proving Grounds Practice

Enumeration

Initial nmap scan revealed HTTP and SSH ports were open.

00 - nmap

Website had a single point where we could input a file. Files were then converted to a zip.

01 - website

When I clicked Home, a parameter named file occured. So, I thought maybe this parameter gets a name and appends .php at the end.

02 - 0 home

To test this idea, I created a file named test.php which executes phpinfo() function.

02 - test php

Then uploaded it to site.

03 - uploaded

Then using phar wrapper, I tried to access it without adding .php extension and it worked.

04 - gg

I then simply downloaded pentestmonkey/php-reverse-shell, and updated the IP.

05 - pentest monkey

Then simply uploaded the file and accessed with PHAR wrapper to get a reverse shell.

06 - obtained the shell

And I simply obtained local flag.

07 - local

There was a cron job running on behalf of the root.

08 - crontab

I checked the file and found out it was using 7za with root’s password to zip files with wildcard zip.

09 - opt backup

So I did some research and found that 7za wildcard can be exploited using links to reveal file contents with error disclosure. To do that:

We need to create a zip file and link it to a file where we do not have read access, for example: ln -s /root/.ssh/id_rsa root.zip
Then when 7za is called with *zip, it will give error on root.zip and reveal the contents of /root/.ssh/id_rsa on its output

However, there was already a linked file named enox.zip on the target machine.

10 - enox zip

As root backup cron job saves output of the command to a backup.log file, we could simply read it to reveal /root/secret file’s content.

11 - wildcard

We could also use pspy64 to check the command as it directly uses password on command line.

11 - wildcard2

Then use it to obtain root shell.

12 - root flag