Zero

I would like to share my notes about Zero machine, which is marked as insane in vulnlab which created by JKR

User part

After we starting the machine i started port scan as always.

We have ssh, and web service :

Let's enumerate this using dirsearch :

So we can see some routes like

So now we have some creds to upload stuff. Let's try it, also on main page "secure upload" was mentioned so it's like right direction. But after that i spended hours to figure out what should i upload there. I tryed files with some sort of extionsions lik php5,php7,pht and even htshells but without any result. And after tone of time i got this :

r3kapig writeupr3kapig

and 2 lines there:

Using this payload we can get fileread. After spending some time to read files i decided to read stats.php and found creds for ssh there.

and get user.txt

Root part

I'll be honest, I solved the root part unintended way myself : dirtypipe is a quick win

So after some investigation i ran pspy and get the output

so let's read a file

and see

So we should create process matching ""^/opt/zroweb/sbin/apache2.-k.start.-d./opt/zroweb/conf" and script will replace /opt/zroweb/sbin/apache2 to /opt/zroweb/sbin/apache2сtl

So cp folder "/etc/apache2" to "/home/zroadmin"

add a line to config apache2.conf to include root flag like this :

just after we need to run perl script (stolen from JKR):

chmod it and run in background

After waiting we can found file in /

That's it.