Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

NullByte

Location

https://download.vulnhub.com/nullbyte/NullByte.ova.zip

Description

Objective: Get to /root/proof.txt and follow the instructions.
Level: Basic to intermediate.
Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.
Hints: Use your lateral thinking skills, maybe you’ll need to write some code.

Enumeration

Let’s start with port 80.

Next I downloaded the main.gif file and examine it with exiftool. There was a password-like piece inside as comment: “P-): kzMb5nVYJw”. Was it a password for the phpMyAdmin site or something else? A simple try was to append it to the URL and the result was satisfying.
page1

The password is not that complex, but after a few tries I decided to let hydra do this tiresome job.

A database. First some manual tries, but after a while I decided to put my faith in sqlmap.

I guess the isis user will be the goal to elevate to when inside the machine. The string from ramses looks like base64 to me.

And that looks like a md5 hash.

Let’s see if this will grant some access to the server.

bob and eric? Not the kind of names I would have expected.

A backup folder in /var/www.

What mess?

Looks like it runs ps as root, but without an absolute path.

I made a symbolic link to /bin/sh and called it ps. Then I set PATH to my current location.
Now it’s time to run procwatch again.

Conclusion

This was a cool challenge. I had fun and learned new stuff.
Thanks to ly0n for making this one available.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.