First I set up my two machines: the attacker and the target. Since Kali is a Linux distro with lots of fun hacking tools already installed, this is what I used for my attacker machine (read: I’m lazy and don’t want to type sudo “apt-get install” fifty billion times). I obtained the target machine (“NullBytes”) from VulnHub.
In the network tab of settings, I attached each machine to an internal network called “intnet”. Here is what that looked like for Kali machine:
I chose to put both machines on an internal network because then they can’t communicate with the Internet or other computers on my network. Since I just downloaded an intentionally vulnerable machine, I don’t want to configure it in a way that somebody OTHER THAN ME could take advantage of it and get into my home network.
For the two machines to communicate with each other, though, they need IP addresses. IP addresses won’t be assigned unless a DHCP server is set up, so while both machines are still off, I used the Windows command line to navigate to the correct location, add the dhcp server, and double-check that the server was successfully running.
C:\Users\Admin>cd C:\Program Files\Oracle\VirtualBox
C:\Program Files\Oracle\VirtualBox>vboxmanage dhcpserver add–network=intnet –ip 10.10.10.1 –netmask 255.255.255.0 –lowerip 10.10.10.2 –upperip 10.10.10.212 –enable
C:\Program Files\Oracle\VirtualBox>vboxmanage list dhcpservers
Below, you can see the DHCP server has the settings I input in my command line. Success!
Then I started the machines. NullBytes booted to a login screen, so not much I could do there. In my Kali machine, I checked for the DHCP server assigned IP address, which was 10.10.10.3.
I could have just assumed that 10.10.10.2 is the address of NullBytes, since I booted it before Kali, but just for fun I mapped out the internal network with nmap to see a list of attached machines. As expected, there is 10.10.10.3 (Kali) and 10.10.10.2 (NullBytes).
I saw an HTTP server on port 80 of NullBytes, so I used my browser to navigate there:
Culty clipart. Knowing it’s an image in a CTF type machine made me think some steganography was at play (not realistic imho, but still fun).
In previous CTFs, I have used an program called ImageMagick. However, it is not pre-installed on Kali and I had no access to the internet so I followed the lead of Trickstero and used Terminal commands:
Hello weird little pirate winky face. The characters after (kzMb5nVYJw) ended up being a directory path, so I used firefox to navigate to 10.10.10.2/kzMb5nVYjw.
With the network tab of Firefox’s developer console open, I entered a fake password. The response was the string ‘invalid key’.
I executed a brute force Hydra attack in terminal, using the evergreen wordlist rockyou.txt and the command
hydra -l “” -P /usr/share/wordlists/rockyou.txt 10.10.10.2 http-post-form “/kzMb5nVYJw/index.php:key=^PASS^&Login=Login:invalid key” -f -V
The password “elite” was a hit.
After entering correct password in browser, another prompt appears for a username. To check for a connection to an SQL database, I entered a quotation mark. The result:
I returned to terminal and used sqlmap to find database names.
sqlmap -u http://10.10.10.2/kzMb5nVYJw/420search.php?usrtosearch=a -dbs
Seth seemed to be the most interesting one, so I used sqlmap again to find its tables.
sqlmap -u “http://10.10.10.2/kzMb5nVYJw/420search.php?usrtosearch=a -D Seth —tables’
Okay, what about columns?
sqlmap -u http://10.10.10.2/kzMb5nVYJW/420search.php?usrtosearch=a -D seth -T users -columns
sqlmap -u http://10.10.10.2/kzMb5nVYJW/420search.php?usrtosearch=a -D seth -T users -C user,pass -dump
I used my host computer to just google that password string, and very quickly found it is a base-64 encoded md5 hash of the word “omega”. I used the username “ramses” and password “omega” on port 777
ssh firstname.lastname@example.org -p 777
From here on out, things got a little tricky for me, so I relied heavily on a tutorial from Gavin Loughridge.
I opened Ramses’s bash history with command
Ramses recently went to the directory var/www/backup and ran a program named procwatch.
I ran the program too, and it basically was the same as running the “ps” command.
So essentially copying from Gavin Loughridge, I did the following in terminal (No, I really don’t understand it well enough to explain it).
ln -s /bin/sh ps
After running ./procwatch again, a root shell is opened. I used that root shell to navigate to the root directory to open file proof.txt