search

Nineveh

hashtag
Reconnaissance:

NMAP:

β”Œβ”€β”€(kaliπŸ’€kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.43 

80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)

443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn: 
|_  http/1.1
β”Œβ”€β”€(kaliπŸ’€kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.43   

All 1000 scanned ports on 10.10.10.43 (10.10.10.43) are in ignored states.

nmap shows only HTTP (TCP 80) and HTTPS (TCP 443) open:

First, add the domain name to the /etc/hosts file.

View the page source to see if it gives you any other information. CTRL + U

hashtag
Enumeration: Website - TCP 80

The site just displays a simple success page with no further information: This is the same visiting by IP address or nineveh.htb.

Gobuster Enumeration:

Virtual Host Enumeration:

/info.php

http://nineveh.htb/info.phparrow-up-right

/department

Visit the /department directory.

http://nineveh.htb/department/login.phparrow-up-right

I tried some basic password guessing, and noticed that the error messages were indicating if the user existed. For example, when I tried admin: Invalid Password!

When I tried nineveh: invalid username

hashtag
Enumeration: Website - TCP 443

This is the same visiting by IP address or nineveh.htb.

https://nineveh.htb/arrow-up-right

Gobuster Enumeration:

/db /db returns a login for a phpLiteAdmin instance: https://nineveh.htb/db/arrow-up-right

phpLiteAdmin is a PHP interface for interacting with SQLite databases. It’s version 1.9, which searchsploit shows there are exploits for: https://www.phpliteadmin.org/arrow-up-right

/secure_notes This page is just an image: https://nineveh.htb/secure_notes/arrow-up-right

Examining each of these with searchsploit -x [path], the first is a version match and seems like a good way to get execution. The second also looks like it should work, if I want to do SQLi. The third one is not a version match, and the fourth has a bunch of less interesting vulnerabilities like XSS and CSRF. For all of them, I need to authenticate first.

hashtag
Shell as www-data (via phpinfo.php) Port 80

Visit the /department directory. http://nineveh.htb/department/login.phparrow-up-right

We get a login form. View the page source to to see if it gives you any other information.

Brute force: Hydra

It found the valid password! Log into the application using the credentials we found. Visit the Notes tab. We get the following text.

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txtarrow-up-right

None of it makes much sense at this point. They do mention a secret folder. Maybe we’ll find that while enumerating port 443. One thing to notice is the URL that generates the page looks like a file path. When you see a file path, the first thing you should try is an LFI. I tried and it didn’t exactly work. When I try the following string

I’m back to the β€œNo Note is selected” message. This leads me to believe that it is vulnerable to LFI, however, there is a check on the backend that is grepping for the string β€œninevehNotes” since my query doesn’t work without it. According to the error, we’re in the /www/html/department/ directory, so we need to go three directories above. Let’s try with this string.

It worked!

When it comes to LFIs, you usually need to chain it to another vulnerability in order to get remote code execution. Therefore, I’m going to start enumerating the next port to see if I can find another vulnerability that I can chain this one to.

hashtag
Shell as www-data (via phpLiteAdmin) Port 443

Visit the page in the browser. https://nineveh.htb/arrow-up-right

View the page source to see if it gives you any extra information. We don’t get anything useful. Next, view the SSL certificate. admin@nineveh.htb

/secure_notes This might be what the comment β€œcheck your secret folder” was referring to. Save the image, it might have a secret stored in it. We’ll look into that later. https://nineveh.htb/secure_notes/arrow-up-right

/db /db returns a login for a phpLiteAdmin instance: https://nineveh.htb/db/arrow-up-right

I tried the default password β€œadmin” for phpLiteAdmin v1.9 but that did not work. Let’s try brute-forcing the password. First, intercept the request in Burp.

Then run hydra on the login form.

Let’s view the content of the Remote PHP Code Injection exploit. According to the comments made in the exploit, an attacker can create a sqlite database with a php extension and insert php code as text fields. When done, the attacker can execute it simply by accessing the database file using the browser.

LogoPHPLiteAdmin 1.9.3 - Remote PHP Code InjectionExploit Databasechevron-right

This is exactly the vulnerability I was hoping to find! This vulnerability allows me to drop a malicious file on the server and the LFI vulnerability we found earlier allows me to call and execute my malicious file.

  1. In the Create New Database section, create a new database called random.php. Then click on random.php in the Change Database section. There, create a new table called random with 1 field. In the Field parameter add the following code and change the Type to TEXT.

  1. Click Create. As mentioned in the below image, the file is created in the directory /var/tmp.

  2. Now, let’s go back to the LFI vulnerability and execute our php code.

We have code execution! Let’s intercept the request in Burp and add a reverse shell to the cmd parameter.

Then add the code to the cmd parameter in Burp and URL encode it (Ctrl+U).

Setup a listener to receive the reverse shell.

Let’s upgrade it to a partially interactive bash shell.

Now let’s view the permission of the user.txt file.

We’re running as www-data, so we don’t have rights to read the file. We need to escalate our user privileges.

hashtag
Priv: www-data –> root

Let’s transfer the LinEnum script from our attack machine to the target machine. In the attack machine, start up a server in the same directory that the script resides in.

In the target machine, change to the /tmp directory where we have write privileges and download the LinPeas script.

Give it execute privileges.

Run the script.

In our nmap scan, port 22 was not reported to be open, however, the LinEnum script reports it as listening on localhost. I’m not sure what to do with this piece of information but I’ll keep it at the back of my mind in case I don’t find any other way to escalate privileges.

Next, let’s try pspy. If you don’t have the script, you can download it from the following github repository.

LogoGitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHubchevron-right

Every minute or so the chkrootkit is being run. I’ve never seen that on a machine before so I googled it and found out that it is a program intended to help system administrators check their system for known rootkits. Next, I googled β€œchkrootkit privilege escalation” and landed on this

LogoChkrootkit 0.49 - Local Privilege EscalationExploit Databasechevron-right

There is a privilege escalation vulnerability with old versions of this software that will run any executable file named /tmp/update as root. Therefore, all we have to do is create an β€œupdate” file that contains a reverse shell and wait for the scheduled task to give us a shell with root privileges.

I’ll write a simple reverse shell to /tmp/update and make it executable:

The next time chkroot runs, I get a shell:

PreviousCronosNextSense

Last updated