code16: NullByte 1

Yesterday I was playing with another CTF from VulnHub. This time I decided to try NullByte 1...

I started from discovering the host (used netdiscover -r range to do that):

After the scan I saw that we have 3 (TCP) ports open here:

80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
777/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)

Ok, we will not try rpcbind and ssh for now. Let's try with HTTP:

Cool. Next thing was checking dirs (dirb) to looks for something interesting:

I saw that there is a /phpmyadmin/ directory so I started to think that maybe we should use some PMA vulnerability to get inside the host... Let's try the WWW:

As there was nothing interesting in the source code, I decide to check GIF file included. To review it I used exiftool. I found some weird comment inside the photo:

First of all I thought maybe it is a PMA admin password. It was not... :)

So - I thought - maybe it's a new directory, hidden somewhere on the WWWroot...

Looks like it is :) I was wondering what is the valid key to access next page. I decided to use BurpSuite as a bruteforce tool:

Indeed, we have a valid key now. Checking:

Ok, good. Another form. I tried to put there some injection tests:

Ok, cool. Let's add super-cool-hacking-char (") ;)

This is what I'm looking for. :)

Continue please...

Ok, we got the DB:

Some kind of passwords and some users. Cool. Maybe we will use that later. Next I decided to check if we can access SQL-shell (available in sqlmap when you're using --sql-shell parameter):

Ok, nice. Can we read some files from the target hosts via this SQLi?

Of course. :) Let's find some config.php/install.php or other file where we can find some juicy info...

Ok, password for the root user! Great! Maybe we can use it now:

Not yet. :) Next - check what else is inside the DB. We can find more users there:

Great, let's check the password for phpmyadmin user:

Cool! When I saw this I new that there is a way to upload shell via phpmyadmin... but unfortunately I wasn't able to do that (via phpmyadmin user), so I decide to grab sqlmap again, and get more DB-data. And that's how I found that the root user has the same password as phpmyadmin user. Let's check if we can log in as root now:

Sure we can. :) Now I started to thing about raptor_udf exploits or maybe some webshell uploading... I started with some simple test:

Hm... Am I right? :)

Looks like we're in :)

Yes, you're right. It's time for reverse shell!

Quick review of the files located on the WWW:

Ok, cool. But let's switch to python's pty:

Ok, more:

So now I was thinking about running raptor_udf sploit. You can find it on google:

After a while I new that this was not a good idea (mysql is not running 'properly' to run this exploit):

I decided to go back to the database again, and check what else is there. I new that there is a userlist with some passwords. I grabbed the first user (ramses) and I tried to google his password: