Hat tipping TopHatSec ZorZ style

Time for another VulnHub challenge, and this time I decided to take a look at @TopHatSec’s ZORZ challenge.

ZORZ is another VM that will challenge your webapp skills. There are 3 separate challenges (web pages) on this machine. It should be pretty straight forward. I have explained as much as I can in the readme file:

Welcome to the ZorZ VM Challenge

This machine will probably test your web app skills once again. There are 3 different pages that should be focused on (you will see!) If you solve one or all three pages, please send me an email and quick write up on how you solved each challenge. Your goal is to successfully upload a webshell or malicious file to the server. If you can execute system commands on this box, thats good enough!!! I hope you have fun!

Three web based challenges.. sounds good. Let’s get cracking! Like always, let’s find our host:

Whilst we know this a web based challenge, we still need to make sure we check what ports are available:

Standard port 80. Let’s take a look:


Okay, this looks like challenge 1. The page source doesn’t show anything out of the ordinary, and it looks like we need to upload an image. I grab my avatar image and upload it to see what we are presented with:


The obvious next step is to try and upload a webshell and see if the app will strictly only allow images to be uploaded. My small webshell code of choice is as follows:

I upload x.php and it looks like the uploader app doesn’t strictly check that an image file is uploaded:


Good. Next, we need to find where our webshell was uploaded to. We can see in the above output that a tmp file was created, however as there is no LFI vulnerability and we are not able to directly access this location. Time to use my favourite webfuzzer; wfuzz.

The javascript directory was no good for us and phpmyadmin would require us to bruteforce the username and password. uploads2 gives us a directory listing, however our x.php webshell doesn’t exist in this location. Is it possible that there is an uploads1 and uploads3 directory which lines up with our challenges?


Voila, our avatar and webshell uploads are present. Let’s try to interact with our shell:

Our shell works. Considering that this is a web challenge, let’s take a look at what files/directories are present:

The l337saucel337 directory stands out. Let’s take a look inside:

… and who could resist looking at a file called SECRETFILE.

Nice. I’ll call challenge 1 as completed at this stage. Let’s move onto challenge #2.


The obvious first step will be to try and upload our php shell again. Unfortunately for us, we’re presented with the following:

Let’s fire up burpsuite and take a closer look at our traffic just in case there are some simple parameters we can manipulate or any other clues. We’ll start by uploading our avatar image so that we can inspect the traffic:


We can see that our POST data is being sent in parts. What if we edit the jpg data and append our webshell script to the end?


Surely it’s not that simple? I try executing the code and I’m presented with the jpg muck and the php script at the end.

We can see the data is there, however the server is not interpreting the php shell. After quite a bit of time pondering on how to get the server to execute the code, I had a brain fart. What if we append the webshell code and change the filename to include the .php extension?


The file still uploads successfully, so let’s try to interact with the webshell:

BAM! We are presented with the jpg jibberish, but this time we are also given the output of our php web shell. Challenge 2 done.

Let’s move on to challenge 3.


As per our entry into challenge 2, let’s try uploading the last successful method. I edited the xerubus.jpg file with vi and appended the php webshell code.


Ummm… that was unexpected. Successful upload. I guess we should try executing it?

Challenge 3 complete! Things aren’t supposed to work out that well, but take wins when you can :)

Thank you @TopHatSec for the challenge.

As always, thank you @vulnhub and @g0tmi1k for hosting these challenges.

Until next time, tight lines and happy hacking.