hackthebox nineveh walkthrough

Spread the love

Starting with masscan

Two web ports are open with SSL and without SSL.

Lets explore without SSL (port 80) first. To start with we will try gobuster

We found one directory /department. Browse it

hackthebox – nineveh – department

Hmm a login page, we can try few login details like admin/admin, guest/guest, admin/password, etc. But in this case none worked. So lets checkout source to see if we find anything interesting.

hackthebox – message from amrois

We see a message from amrois user to admin requesting to fix the login page.

Although amrois is talking about some problem in login page, I am not sure what is wrong with the login page. Therefore, I thought of using hydra against the login page.

The login page gives an error like “Invalid username” and “Invalid password”. This helps to find the right username and password. Quickly I was able to find that the username is admin. For password, I use hydra as following

We got the password 1q2w3e4r5t.

Login with user admin and above password.

hackthebox – nineveh – department admin

There is only one useful tab called Notes. If we click on it, we see following message.

Again, message from amrois. He is asking same thing and giving us hint to find the secret folder.

If we look at the URL for Notes, it is http://10.10.10.43/department/manage.php?notes=files/ninevehNotes.txt . May be we can exploit it with LFI,RFI, etc. We will check it out later.

That’s it for port 80 for now. Lets forget for it now and move to port 443

Using gobuster

We got /db folder. Lets browse it

hackthebox – nineveh – phpliteadmin

We see a phpLiteAdmin page. Here we discover the version of phpliteadmin is v1.9 and we also discover the full path because of error line on the top.

Again, using hydra to find the password

Nice, we got the password ie password123. Use it and enter

If you check on searchploit then you will see a vulnerability in phpliteadmin v1.9 which allow executing PHP code if we rename database with PHP file extension.

Create a database called ninevehNotes.php and create a table with the following content and TYPE=TEXT. The content of the table is as follows

Now get back to port 80 and use above as following

We got command execution!!

If we go to the following address, we see secure_notes folder, inside it there is a png file ie ninevh.png

Go to the following address and save the file, use binwalk to see if it conceals any secrets

we see tar file is there

Nice, private and public key.

Lets get a shell. urlencode following

and use the output with the URL. Make sure to listen for shell in another terminal

We will get a shell. Now we can use the private key we found before. Save it as anything you like, set permission to 400 and SSH

We are amrois user now.

After getting the amrois user, we need to find the way to root. To do it, I search for files/folders owned by amrois user

Among all of the result above seems to be interesting. Checking the /report folder

Open one of the file, you will realize that the file is the log of chkrootkit. I then checked if the user is running any cronjob because the above result shows that the script is executing after some interval of time. I assumed that the process is ran by some other user ie root.

There is a known issue with chkrootkit. If we create a file in /tmp directory name update, then chkrootkit with executing it as root if it is running by root user.

To test this I create a file /tmp/update and inserted following

Listen for the shell and after sometime you will get a shell

Lets check if there is any cronjob running by root user

Indeed, what is the content?

That’s all, but wait…why assuming, chkrootkit might be running with any other user. That’s right. I have assumed it here and it worked. Alternatively, we can check the process every minute using python script or use tool like pspy


Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *