Zorz writeup

Thu 24 September 2015

This is my writeup of the Zorz VM image by @TopHatSec located at vulnhub.

It's a web based VM challenge, exploiting one of the more typical web vulnerabilies in different ways.

It's a good refresher on the different ways of getting past file upload forms and I had fun doing the challenge..

From the description:

 This machine will probably test your web app skills once again. 
 There are 3 different pages that should be focused on (you will see!)
     Your goal is to successfully upload a webshell or malicious file to the server.
 admin@top-hat-sec.com

So lets get started shall we?

Recon

First we use netdiscover to find the VM in our network:

Pelican

After this we use nmap to check the host

Pelican

We find port 80 open and we know it's a web challenge so we ignore the ssh service for now.

First challenge

We launch dirb to fuzz the web server using the big.txt wordlist while we check out what's running on the HTTP service:

Pelican

Ok, so we have a file uploader script.

Seeing as the point of the challenge is to get a webshell uploaded we'll use weevely to generate a shell:

Pelican

We try uploading the php file as is and we get the following:

Pelican

That went way too easy, of course we still don't know where the file is located. Seems like a good time to check the results of dirb :

Pelican

It found a phpmyadmin folder, which we'll ignore for now, and an uploads2 folder.

Seeing as we have 3 challenges, and there is an uploads2 folder, let's try and see if there is an uploads1 folder...

Pelican

Succes! We find our script and connect with weevely:

Pelican

We can get to the flag file but we'll continue with the rest of the challenges.

Second challenge

When we go to uploader2.html we see another file upload script which is a bit more strict on what gets uploaded.

Pelican

The error message indicates that it checks for filetype so we'll try out the old shell in an image trick.

We'll use exiftool to add a php shell to a downloaded jpg file and rename it to image.php.jpg to try and fool the imagetype check.

Pelican

Now we try uploading:

Pelican

That's 2 down, one to go

Pelican

Third challenge

This last one was easier then you would imagine.

We go check out the third challenge and try out our previous shell again, which also works for the last challenge

Pelican

And on that last one we show the flag to finalize this challenge

Pelican

Final words

I'd like to thank @TopHatSec for taking the time to set it up and vulnhub for making the challenge available.