Hackthebox Walkthrough — Nineveh

Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)

Target: 10.10.10.43

Local IP: 10.10.14.33

Nmap Enumeration :

First we run nmap enumeration to see what ports are open

seems like only web server port 80 and 443 are open

browse the web page, we see nothing is there . So let’s work on the directory enumeration

we fuzz both port 80 and port 443

we found out the /department directory on port 80

a log in page

let’s fuzz port 443 now

we found /db and /secure_notes these two directories quite interesting

/db is the phpLiteAdmin page

/secure_notes we found a picture on the page

let’s try to bruteforce the login page first /department

default password : admin; admin doesn’t work

use burpsuite to catch the login format

use hydra to bruteforce the password , set username as admin

and we found the login credential

log in with the username admin and password, we see such an under construction page

same thing for the ssl /db page, let’s use hydra to bruteforce the login credentials again

use burpsuite to intercept the login

And we successfully bruteforced the login credentials for this phpLiteadmin database

back to explore this under construction /department page

we found the file path seems quite interesting, it might be vulnerable to LFI or RFI

we got an error message if we modify the extension a little bit

Go back to the phpLiteadmin database, we use searchsploit to see what exploits we can use

paste this php command into the field , set the type to “text”

rename the database name to ninevehNotes.php

then browse the /department page , we found the page is vulnerable to LFI

send this page to burpsuite repeater

copy the netcat reverse shell command from pentest monkey reverse shell cheat sheet

and set up our netcat listener , then we got a reverse shell back

now let’s work on privilege escalation

spawn a python tty shell to make it more stable

run LinEnum.sh

we see a directory /report quite interesting (not default linux directory)

a file is created every minute inside /report (maybe a crontab job)

cd /var/tmp and create a script procmon.sh

(grep every old/new processes that is running on the server)

searchsploit for the chkrootkit , and we want to transfer this nc shell to a meterpreter session

(system info)

(instead of python, we use python3 on the target machine)

and we got a meterpreter session

background the session, and search chkrootkit exploits

and now we see we are at root privilege!

Time to grab the user.txt and root.txt flags!