Nullbyte 1 Vulnerable VM

  1. Nmap
  2. Web page
  3. Started ncrack (try to get lucky)
  4. Downloaded image on webpage
  5. exiftool main.gif
  6. ran basic dirb (try to get lucky)
  7. found directory in comment of metadata
  8. chucked request in burp
  9. Found “key=” in the post data
  10. brute forced “key=” login user hydra with the following command.
hydra 192.168.1.209 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P rockyou.txt -l user -t 10 -w 30 -o hydrasucksballs.txt
  1. Then it shows us a username input box so I ran sqlmap with the following
sqlmap --wizard --users --passwords
Please enter full target URL: http://192.168.1.209/kzMb5nVYJw/420search.php?usrtosearch=
  1. This gave us the password to the phpmyadmin directory
  2. Logged in with creds.
  3. Then we viewed the table and found two users.
  4. We took the hashed password of one user, kept messing with it. Finally we base64ed it and then deleted the last 3 characters that didn’t decode.
  5. Then we used CrackStation (online web tool replacement for JohN)
  6. Cracked the password that gave us ssh creds.
  7. Logged in.
  8. Check .bash_history
  9. Find ./procwatch looks like it runs the ‘ps’ command.
  10. Switch the $Path to the fake directory.
cp /bin/sh /var/www/backup/ps
  1. Faking the sh is actually ps.
Export PATH=/var/www/backup/ps
./procwatch

Leave a Reply

Your email address will not be published. Required fields are marked *