Zorz writeup

Thu 24 September 2015

This is my writeup of the Zorz VM image by @TopHatSec located at vulnhub.

It's a web based VM challenge, exploiting one of the more typical web vulnerabilies in different ways.

It's a good refresher on the different ways of getting past file upload forms and I had fun doing the challenge..

From the description:

 This machine will probably test your web app skills once again. 
 There are 3 different pages that should be focused on (you will see!)
     Your goal is to successfully upload a webshell or malicious file to the server.

So lets get started shall we?


First we use netdiscover to find the VM in our network:


After this we use nmap to check the host


We find port 80 open and we know it's a web challenge so we ignore the ssh service for now.

First challenge

We launch dirb to fuzz the web server using the big.txt wordlist while we check out what's running on the HTTP service:


Ok, so we have a file uploader script.

Seeing as the point of the challenge is to get a webshell uploaded we'll use weevely to generate a shell:


We try uploading the php file as is and we get the following:


That went way too easy, of course we still don't know where the file is located. Seems like a good time to check the results of dirb :


It found a phpmyadmin folder, which we'll ignore for now, and an uploads2 folder.

Seeing as we have 3 challenges, and there is an uploads2 folder, let's try and see if there is an uploads1 folder...


Succes! We find our script and connect with weevely:


We can get to the flag file but we'll continue with the rest of the challenges.

Second challenge

When we go to uploader2.html we see another file upload script which is a bit more strict on what gets uploaded.


The error message indicates that it checks for filetype so we'll try out the old shell in an image trick.

We'll use exiftool to add a php shell to a downloaded jpg file and rename it to image.php.jpg to try and fool the imagetype check.


Now we try uploading:


That's 2 down, one to go


Third challenge

This last one was easier then you would imagine.

We go check out the third challenge and try out our previous shell again, which also works for the last challenge


And on that last one we show the flag to finalize this challenge


Final words

I'd like to thank @TopHatSec for taking the time to set it up and vulnhub for making the challenge available.