NullByte — VulnHub — Solution

This is going to be the walkthrough of NullByte machine from VulnHub which can be downloaded from the above link.

https://www.vulnhub.com/entry/nullbyte-1,126/#

Begin

Once we have the IP address we need to run a quick NMAP scan.

NMAP scan revealed 3 ports — 80, 111, 777. Trying Dirb to find some directories.

We found “phpmyadmin” directory. Let’s try Nikto.

Nikto reveals the same. On opening the IP in the browser we have.

We have an image! I have been doing lots of stenography and i never left any page unturned. So i quickly ran strings on this image.

This seems to be something different. So i put it as a directory and we are provided with a new page.

On checking the source code, it reveals,

So we have to guess the password. I started guessing the password on this starting from “admin, password, 123, princess, rockyou, binary, Admin, police, elite” and elite was the right key.

This page seems to be querying the username with the database so i put my name and tried to check what it reveals.

On sending NULL input. 2 usernames were revealed!

So i looked at the URL and thought to run SQLmap.

Well it looks like this :))

The database names were revealed. So i tried to look on these one by one.

As “seth” has revealed the password so i moved onto cracking it. It was base64 encoded.

Using hashkiller.co.uk i was able to decrypt the password.

Now it was the time to log into the machine via SSH

Yes, we are in. Now we need to look whats going on inside.

On checking the bash history i found that ‘/var/www/backup’ was accessed and procwatch file was run.

On running the procwatch i found two files were being checked “ps and sh”. In order to gain the root access i did the following and ran procwatch.

As i was root now i had to grab the flag and we are done!

Method 2

Thanks!

Cyber Security Enthusiast