Vulnhub Walkthrough: NullByte
It’s a Boot2root challenge, the box will get IP from dhcp. The main objective is to get the proof.txt file after becoming the root user. It is considered to be beginner to intermediate level. This box works fine in both vmware and virtualbox.
Initial Analysis
Using the netdiscover command we first get the ip address of the machine. Then using the nmap command we find the open ports and the services running in it.We find that the ports 80,111,777,57622 are up and running.
Searching the IP address in the browser we get the following page.
Enumeration
We find nothing on this page and we find download this image and try reading this image using an online exif viewer.
Here, we find a comment kzMb5nVYJw. This might be a directory path so opening it in the browser we get plain webpage with a single key login.
Looking at the source code we see a message that tells us that the form is not connected to mysql and also the password is not that complex. This message might be hinting us that brute-force is likely.
We use hydra to bruteforce and we get the result as “elite”.
Entering the key , a new webpage opens up asking for a username.
Inspecting its source code we find the following.
Since we have no idea of the username we try to find it in the database using sqlmap. First, we find the no of databases available with the following command
sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 — dbs — batch
With this we get the name of the database we need to use[ seth ]. We then find the tables and columns for seth.
Here, we find username and password.The password looks like it is MD5 encoded and
With the help of online tools we decode it and then find the pass to be omega.
Gaining Access
Now, we try to ssh remote login to the target machine with username as ramses and then password as omega.
Privilege Escalation
On checking the bash history, we find that an executable with procwatch has been called by the previous user.
Running that we understand that procwatch is a process file and that three processes are listed. sh provides a shell with higher privileges than the ‘ramses’ user.
We open the vi editor and then type /bin/sh and save the file.We then provide it with the required permissions.One of the ways to escalate the privilege is by manipulating the environment variable( path ).The steps to do that are as follows.
Executing the procwatch again we get root privileges. We then move into the root directory and find the proof.txt inside here.
We have successfully pwned the box and got the flag which is the proof.txt file. Cheers!!
