NullByte machine — Walkthrough

Hi guys, this is the seventh day and seventh box (7D-7B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on Nullbyte machine, which is from VulnHub. Let’s get started!

################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
###############################################################

Enumeration

Nmap

Port 80 — HTTP

I personally hope I can find the laws myself. But anyway, this is what on the page when we go to the link.

Gobuster

I ran gobuster on the site, but it looks like we have some findings. But, the

Nikto

Doesn’t looks like wew have anything here.

Exiftool

I downloaded the “Eye of all seeing thingy” from the page and we can run it through exiftool. The comments seems weird here. Encoded message maybe?

Then after trying, I am able to use the comments on the url and it loads!

/kzMb5nVYJw

It requesting a key from us, which I have no idea right now. But when I use the same “kzMb5nVYJw” as key, it shows invalid key.

When looking into the source page, it says:

Hydra to the KEY

Now lets run hydra to get the password. I am not able to think of other method as of now. But yeah, we get the password after running for a while!

hydra -l “” -P <Path_to_your_dictionary> <Target_IP> http-post-form “/kzMb5nVYJw/index.php:username=^USER^&key=^PASS^:invalid key”

NOTE: Remember to check the source to see what terms they are using, such as “key” instead of usual “password”.

Then, enter the key to it and we get here.

It looks like a search bar for usernames for details maybe? And we also knew that it is mysql from the previous page.

Now run sqlmap to check it.

sqlmap -u http://<Target_IP>/kzMb5nVYJw/420search.php?usrtosearch= — dbs

Now let’s try the below:

sqlmap -u http://<Target_IP>/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth — dump-all — batch

Go to cyberchef, decode the password we found.

Using CrackStation, we can get the password from the hash after decoded.

Now, we can then ssh to it. On port 777.

Let’s go!

Exploring~

When checking the history, I can see there is a backup and ./procwatch. maybe it could help us later.

For permission, ramses does not have any permission to run sudo.

There is also a readme note that stated user wanted to clean up the mess.

When running procwatch, it appears as follow.

So, we can try to change the ps into “/bin/sh”, then add the path to the environment. Then, when we run the procwatch, it will run ps which contain /bin/sh which will give us the root permission.

The command PATH=.:$PATH is used to add the current directory (.) to the beginning of the system’s executable search path, which is represented by the PATH environment variable.

Voila! Another room done!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com