Mystery of the NullByte

The flickering neon sign in the street once brightly read “Forensic Investigator”, but now it only serves to send shards of sporadic light into the cracks and crevices that call this neighbourhood home. If you watch the colours long enough, you could almost be convinced that the flicker is morse code for ‘failure’. Looking at my last business card tells the same story; beyond the stains and creases, it reads Xerubus – PI. You can’t quite make out the fine print, but if you could it would say I’m down on my luck.

This shit hole I call my office hasn’t seen the light of day since the Gibson was hacked. A blanket of dust emulates a catastrophic fallout, and the stench of stale bourbon and Marlboro Reds is thick enough to keep a colony of cockroaches alive. Bills are scattered high, the rent is behind, and the only thing I have to my name is a mouthful of cheap whiskey and half a nicotine patch. I need a breakthrough, and I need it quick…

A flashing red glow is coming from the corner of the room, combined with the unmistakable smell of burnt thermal paper. This can only mean one thing; the age of the fax has yet to come to an end! I manoeuvre past reams of failed racing guides, pausing only briefly at a well worn out 1968 edition of Playboy… ahhh… Jane Fonder. Tearing the blackened roll of paper from it’s 9600baud master, I can only just make out the words:

Find the procwatch!
Target: NullByte:1
Codename: NB0x01
Location: Vulnhub
Contact: @ly0nx
Mission: Get to /root/proof.txt and follow the instructions.

This is the break I need; I can feel it. They don’t call me whatever they call me for nothing…. I am destined to find the procwatch and get the proof.txt!

Like the great Tex Murphy said, All I’ve ever needed was a soft felt fedora, a well-tailored overcoat and a comfy pair of sneakers…. I don’t have any of that, but I do have nmap.

I have seen the reference to 80 popping up a bit lately and know just the place to start asking questions…. that seedy little tree hugging hippy joint down town…. Laws of Harmony.

I arrive at 80 and start poking around. The street is quiet; painted with a thick mist causing a eery glow through the orange street lights. There is no sign of life, apart from some scurrying vermin and the odd black cat. Deja vu? I knock on the door and it slowly opens with an 80s horror movie sound effect. Shining my iceweasel torch inside reveals graffiti sprayed over everything…

defaultwww

Looking closer at the graffiti, it is clear that someone has purposefully left a clue in the main.gif. I never thought I would be able to say it, but that exiftool 8.60 I purchased last year from a random daytime infomercial might actually pay off!

You have to get up pretty early in the morning if you want to throw me off track… I have seen this sort of thing plenty of times before. I remember one case where I had a look at port 80 and was introduced to this amazing broad in a red dress, only to turn around and have a gun pointed fair between my eyes. I am sure there is a movie script in that one day, but this is no time to get comfortable in this directors chair. Time to head on over to “kzMb5nVYJw‘s R US”.

When you set up a business in the arse end of the world, you better keep it locked up tight. “kzMb5nVYJw‘s R US” is obviously shut at this time of the night; and a nice big f@ckoff padlock on the front door makes sure you are aware that it is closed.

key

Looking closer, a trade mark on the source of the lock says “this form isn’t connected to mysql, password ain’t that complex”. You don’t get to become an elite PI like me if you do not know how to break simple locks. A quick flick through my little black book of scripts and I come across this scribble I wrote just for this type of lock:

brutepost

Like I said… elite PI at your service.

brutekey

Click..we are in. As soon as the door opened that familiar alarm system tone starts to sound. I have never understood why you would make it obvious that there is an alarm system? Anyhow… a keypad is on the inside of the door lit up with a dull green led backlight. “Enter Username” is flashing on the console. When in doubt, do what any good PI would do… just mash the enter key.

420searchphp

It is nice when things just work. With the alarm system off, it is time to take a look around. You would think that with all the fuss of locking up the warehouse, and the installation of an alarm system, there would be rows of antique vehicles or poker tables surrounded by scantily clad women fawning over illegal gamblers. But no, this place was empty, except for a pile of boxes resembling rubbish against one of the walls of the building. Being such a crack PI, I could not resist from taking a look around. Here is a free tip… when rummaging through other people’s garbage, always wear a pair of gloves. Personally, I’m a big fan of the sqlmap brand.

information_schema, mysql, performance_schema, phpmyadmin…. rubbish.. all rubbish.

My gut feeling is that there has to be something in this mess which is worth while; why else would I have been sent here? I keep searching up to my elbow through this pile of paperwork, just like a veterinarian trying help deliver a baby cow. I ferret my way through all the boxes, until I end up at the final one. The word ‘seth‘ is printed on the top of the lid.

Opening up the box reveals a single post-it note with the name ramses and some other rubbish drawn on it. I should have known that seth had something to do with this! That dodgy pawn broker down at 777 always has his hand in the pie if there is something dodgy going on. I grab the post-it note and make my way straight over to the “Seth Pool”.

Seth: “You do realize that what I’m about to tell you could put you in the same amount of trouble that I’m in.”
Me: “That’s OK. Danger’s like Jell-O, there’s always room for more.”

Seth is nervous, I can see it in his shaking hands. He hands over a piece of paper which has some further meaningless guff scribbled onto it:

Ahhhh…. good old c6d6bd7ebf806f43c76acc3681703b81.. I’ve seen this before and I do not like it. c6d6bd7ebf806f43c76acc3681703b81 is a cheap form of hash and it becomes very obvious what I need to do from here. Now… due to this programs time slot, and that this is a family friendly channel, I will not go into too much detail on how I managed to work out what type of hash I was dealing with. Needless to say, after some experimentation, I was able to identify the hash as coming from the MD5 crew. Being a sharing, caring type of chap, I thought it was only right to head on over to John‘s place and share the hash I had found.

John‘s a bit of a connoisseur when it comes to hash, so he was only too happy to narrow down which part of town this MD5 crew gear had come from, and who I needed to talk to.

With a smile on his face, John says three simple words: ramses omega 777

Me: But how do I know how to get to 777 John?
John: Easy man… ssh all the way!

How did I not figure that out!! I need to head over to the 777 club via ssh, tell them that ramses sent me, and use the passphrase of omega. I don’t need to be told twice.

It was too easy. The bodyguard at the door let me in as soon as I mentioned that ramses had sent me, and I was now surrounded by all the noise, excitement, and weird folk you would expect in a place like the 777 club. I perch myself up on the closest bar and start to take in the conversations looking for clues. Time passed.. and more time passed.. until out of nowhere it happened. The woman in the red dress sat down next to me and just started talking…. After an hour of meaningless chat I grabbed my opportunity:

Me: So… do you have any sudo on you??
Red dress: sudo? Nah.. I have something better.
Me: Better than sudo?? What have you got??
Red dress: It’s called .bash_history, it’s the only way to fly.

The lady in the red dress slowly leans over to me, and as I close my eyes she whispers those sensual words every red blooded man wants to hear…. procwatch

I open my eyes, and as quickly as she appeared in my life, she had also left. If only my ex-wife had of been so quick at departing. On the bar, was a tarot card: The Procwatch.

I have never been one for tarot or any of that strange supernatural second life mumbo jumbo.. I am a scotch and cigar type of bloke. There was only one thing to do…. I needed one of those mystic freak type of people, and luckily for me I pass one every day I go to the office.

I linked a copy of the procwatch card somewhere I could find it should something happen to me; things are starting to get serious now after all.

Time to visit the mystic freak…

The sign on the shop read “GDB… I am your future”. This was enough to give me shivers. The sound of the “tring tring” bells as I opened the door almost sealed it for me. Normally all this guff would be enough for me to high tail it out of here, but I had no choice but to understand what “The Procwatch” meant. A small, fragile, but strangely powerful woman appeared before me…

GDB: Give me the Procwatch
… How did she know? I handed over the card, and almost instantly the GDB started chanting…

pdisass_main

Did she say “call 0x80482d0 “???

GDB: call 0x80482d0
Me: Tell me more!
GDB: First you need to understand what you are asking for. Are you sure you are ready to break?
Me: I am ready! Please tell me where I will be at 0x0804841f
GDB: As you wish….

break_ps

All the airy fairy tarot mumbo jumbo had paid off! I had found my target, and all I need to do now is gather the proof. The all knowing GDB let us know that procwatch will be meeting ps at the NullByte lounge. If we can catch her there, than I will have the proof I need.

I headed back to my office to make sure my colony of cockroaches were surviving okay and to foil a plan to catch procwatch out. It shouldn’t be hard.. all we need to do is get procwatch to show up to the NullByte lounge, and fool him into thinking that he is talking to ps. How hard could it be?

I head over to the NullByte lounge and it is very obvious who ps is. ps is proudly sitting on a couch in the corner of the room, busily writing down details of everyone that came into the lounge, what they were doing, and who they were interacting with.

Me: ps?
PS: yes.. how can i help you?
Me: the bar tender said that there were a bunch of phantom processes you missed to record. they have all gone upstairs..

Before I even had the chance to say another word, ps was out of his chair and rushing upstairs to find the phantom processes. That was easy. Now all I had to do was convince procwatch that I am ps, even though i am nothing more than a sh[ell] of a man rescued from the bin….

ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:$PATH
ramses@NullByte:/var/www/backup$ ln -s /bin/sh ps

… and then she entered. The woman in the red dress, also known as prowatch! I was star struck; she was beautiful! She walked straight over to me and voluptuously asked…

Red dress: Are you PS?
Me: Hehe. Yeah, it’s me.

What was she going to do? Did she know I wasn’t ps? Was she going to force her self upon me and have her way? Was she….

Hey you!!! That’s not the right process!!

ps had come back storming over towards me. Obviously he had found out that there were no phantom processes and that I was up to no good. My heart was racing a thousand miles an hour and as I looked around I could not find any sign of the woman in the red dress!? Have I blown the only opportunity I had?!

And then I saw it… on the floor was a red envelope, with the word procwatch written in cursive hand writing. I open the envelope and find small piece of paper with the words /root/proof.txt. Turning over the paper I cannot believe my eyes:

I had found the proof I needed to solve the NullByte challenge! But at what cost? Will I ever see the woman in the red dress again? Like Tex Murphy once said: Look, prophecies aren’t in my job descriptions, okay? I’m just a humble P.I. trying to save the world as we know it.

THE END

Thanks for the NullByte: 1 boot2root challenge @ly0nx.

Thank you like always @Vulnhub and @g0tmi1k for hosting such awesome challenges.

Until next time, tight lines and happy hacking.



2 Comments

  1. TAPE wrote:

    I just enjoyed reading this so much I had to leave a reply to say Thanks :)

    Great job and a truly entertaining writeup

Leave a Reply for TAPE