sobota, 7 lipca 2018

Nineveh: v0.3 - CTF

Lately I had a chance to check 'new' CTF from VulnHub, described as a part of HackTheBox Lab. Below you will find few notes about it. Thanks to Yas3r - this time we will try Nineveh: v0.3.
Let's go.

I started from small scan, found 2 ports open:


In 2nd terminal I tried few dictionaries with dirb. Results you'll find below:

Checking found (http) 'directory':


Ok, good. Maybe we will find something interesting in the source code of the login page?

amrois - good, probably the 'user' ;> (I was wondering if this is the hint for the old bug from Apache when you can enumerate a little bit, using '~'

 
... but it was not ;])

Let's get back to the results for our next port - 443:


Checking:

Ok, looks like an old webapp similar to PMA. So I assumed that there will be few already found bugs somewhere online that I can use here to go deeper...

"Default" hardcoded password

 ... was not the option here... ;] Looking on the source again:



Checking the main webroot:

Very funny. ;] Next:


Sure - but no. I decided to re-scan (dirb) web server again:


More files to check.

Well... at this stage I decided to try something else. The goal was to get inside the panel to check what else/more can be done (as an admin; so basically I was looking for some shell-upload possibility).

Let's do it:


And:


Cool ;] When I was looking for the links available on the page I saw that there is an interesting link:


My first thought was - LFI or RFI? ;] We will back to that later. In the middle of time I opened other console window to try to crack the password for HTTPS-panel.

Checking (logfile from script passe.py created to crack the password using rockyou.txt):

Good.

Now it should be easier to find a way to get a shell on the server, isn't it?


 According to Exploit-DB poc:


 ... it should be easy to put a webshell via phpLiteAdmin. Checking (for phpinfo() as a 'test'):


So far, so good. Now it was a time to prepare a reverse shell (I used msfvenom to do that). After I tried few types of available shellcodes, finally I've received a meterpreter session:

The trick here was to use the (mentioned) "LFI" to access created (via phpLiteAdmin) "hack.php" file. Then you will find your meterpreter ready:

After the shell was stable I tried to learn something about the server. Checking files, perms, dirs... as usual at this stage. ;)


More:


More:

Ok, good. New hint - portknock.

Checking web directories:


Checking index file:


Not much. Checking PNG file (strings):


Good! Looks like we found ssh key ;] Noted down to use later...

I wasn't able to log in to ssh from Kali box so I decided to try the same from the local machine.
Key was copied via wget to /tmp/a directory:

Checking:


And we are here:


After a while I found an interesting catalog on / called "report". Content below:


Checking user's directory - flag found ;)


Ok. Let's back to our report's. It looks like this is the log file ('report') from chkrootkit:


Why we can see that anyway?

After I saw that there are more and more 'reports' I was wondering if the cron is involved here:


Checking reset-file:


I switched the content of the reset-file to 'my own', like below:


After a while (with no revshell) I tried to figureout why the connection is not coming... Reason was simple:


[:

Ok, next. (According to HighOn.Coffee) I used another way to achieve these result:

Cool but I gave me only (again) a shell for amrois user. :|

I wasn't sure what should be done here, so I tried to google a little bit to find out if there is any vulnerability for available 'programs' installed on the target box. I found something interesting here.

Interestingly it was a good idea to check it out. I prepared a file (called phpsh.1 - see below) and grabbed it to the target host via wget. On Kali box I used nc -lvvp 7777 to listen for incoming connections:


When all of that was prepared I was ready to wait for the connection from remote host:


The flag:


I must admit that this was a nice idea to use chkrootkit as part of privesc here. Kudos for the author!;]

Big thanks goes to VulnHub for hosting all of those CTFs.

Cheers

o/



Brak komentarzy:

Prześlij komentarz