Hack The Box : Nineveh Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Nineveh” which is categories as retired lab presented by Hack the Box for making online penetration practices. 

Level: Intermidate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nineveh is 10.10.10.43 so let’s initiate with nmap port enumeration.

it enumerated port 80 and 443 are open.

We explored port 80 but didn’t observe any remarkable clue for next step.

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.43/department/  then went to the web browser to explore them.

It put-up login page as shown here.

So we try the random combination of username and password. While we have enter username: admin and Password: password it gave an error “Invalid Password” hence it was sure that the username must be admin.

Then with help of burp suit we made brute force attack and use rockyou.txt file as password dictionary. Thus we obtain correct combination for login.

 

Used above credential for login and get into admin console as shown.

At Notes tab we concluded that the given text of a file stored at someplace in the system entitled with ninevehNotes.txt.

After that we also we explored port 443 and observe the following web page. We also look at it view source but didn’t notice any further hint.

Therefore again use dirb tool for directory brute force attack and observe the /db directory.

For a second time we explored above enumerated directory and observe login page for phplightAdmin v1.9.

Again we lunch brute forced the password field on /db with burp suit and got the password: password123.

By using password123 and we get inside the PHP LiteAdmin dashboard. Then with help of Google we found the trick to exploit it after reading description from exploit DB 24044.

After reading the description from exploit 24044 then we create a new database “ninevehNotes.txt.shell.php”

Here we have created a new table “Demo” and Add! Filed inside this.

Now create entry in filed 1 as shown.

Let’s create a PHP payload for injecting inside new database. We have use msfvenom command for generating PHP backdoor.

Now copy the code from *<?php….die(); and start multi handler in a new terminal

GO to insert tab and Past above copied code inside the text filed given for Value.

At last you will notice /var/tmp/ ninevehNotes.txt.shell.php is the Path for your database.

If you remember, we had already access admin console and observed a tab for Notes, use it to execute your backdoor.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.

After doing a little bit enumeration we notice a directory report is owned by the user amrois and these reports were being continuously generated by chkrootkit in every minute.

With help of Google we came know that metasploit contains an exploit for chkrootkit exploitation. After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1and arbitrary lport such as 4545 and run the module.

This will give another session, as you can see we have spawned command shell of target’s machine. Now if you will check uid by typing id it will show uid=0 as root.

And to see the list of files in /root type:

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat root.txt

Congrats!! We hit Goal finished both task and at end obtain the root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *