this is my solution to the challenge of NullByte provided by ly0nx.
Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.
This challenge involves various hacking techniques and privilege escalation.
First step: INFORMATION GATHERING
The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:
A port scan on the victim host gives this:
Second step: VULNERABILITY SCAN
I try to fetch more information abusing the port 111 executing a portmap enumeration, but there’s nothing interesting in there.
I discover that port 777 is an SSH port, but the banner doesn’t provide so much information.
The port 80 is open, so I open a browser and I find this:
I spider the application with Burp Suite and I find the directory /phpmyadmin, but any default login works.
I use nikto to check the web applications vulnerabilities, but there’s nothing so interesting.
I download the gif image and I execute exiftoof to check for some information, and I have some luck:
Third step: EXPLOITATION
I find out that kzMb5nVYJw is a path, so I go on http://192.168.56.104/kzMb5nVYJw and this is what I find:
The like 8 of the source code says this:
So I try with the common simple passwords (admin, password, 123456, god, etc…) but nothing works, I keep receiving the message invalid key, so I decide to bruteforce using Hydra
And this is the page that I find:
Doing some tests I find out that the page is vulnerable to SQL Injection.
I use sqlmap to perform some tests, and this is the result:
Three SQL injections, so I go ahead finding the database, the tables and the users
Cracking the password I find out that the hash YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE is the word omega
Fourth step: PRIVILEGE ESCALATION
At this point I SSH into the system:
Superb, I’m in, but unfortunately the user ramses is not a sudoer. Thanks ly0nx, I thought it was easier xD
I check the history of the user, and I find something interesting:
The user Ramses ran the script /var/www/backup/procwatch. I run it and I assume that the program is just running a ps command (list process) within the application and returning the output, as I can see from the program’s output.
Since the file procwatch is owned by root, it will run high privilege commands.
So I create a ps file within the /var/www/backup folder with the /bin/bash content and add the folder to the PATH variable:
Great, I’m root. Time to get the flag.
As usual, for any information or comment, please do not hesitate to leave a comment.