Nineveh

Gaining Access

Nmap scan:

Port 80

I ran a gobuster scan against the web application on port 80 and found a hidden directory:

When we visit the /department directory, we are presented with a login page:

There was really nothing I could do with this page, so I moved on.

Port 443

I ran another gobuster scan on this website, and found some directories:

$ gobuster dir -k -u https://10.10.10.43 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 150
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.43
[+] Method:         GET
[+] Threads:        150
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   404
[+] User Agent:     gobuster/3.1.0
[+] Timeout:        10s
===============================================================
2022/02/05 22:00:49 Starting gobuster in directory enumeration mode
===============================================================
/db (Status: 301)
/server-status (Status: 403)
/secure_notes (Status: 301)

There was a hidden /db directory. When we visit it, we see a phpLiteAdmin instance:

This was another dead end however since we don't have credentials.

Brute Force

Normally, I don't brute force passwords unless it's my last lead, and at this juncture I had no leads. Brute forcing the logins on both pages were successful with username admin.

With this, we can login to both of the services. Port 80 revealed an image:

We can instantly tell that this is vulnerable to LFI because of the notes parameter in the URL. Next, we can view the phpLiteAdmin admin dashboard:

This version of phpLiteAdmin is vulnerable to RCE, and we can follow the PoC here:

However, this exploit requires us to be able to run the PHP file somehow, and the LFI on the port 80 dashboard allows for that since it is also in PHP.

Now that we have RCE, getting a shell is trivial.

Privilege Escalation

Chrootkit

When we move to the main directory, we can find a /report directory present, and within it confirmation that the machine has a rootkit installed.

This root kit has some local privilege escalation exploits.

We can use this to gain a root shell.

PreviousMonteverdeNextNoter