Nineveh

try some brute force ā€¦

@Deadstopp said:
Hi guys,

I have managed to find both the portals, but I am having a really hard time accessing them. I have run dirbuster against bother the http and https pages with multiple wordlists with no real success.

The only clue I have at the moment is on the one page, but that hasnt gotten me anywhere on this box.

Can someone give me a nudge in the right direction please?

To gain access to the portals, you need to bruteforce. One of the portals has a development error that will leak some info, cutting your bruteforce time down a bit. Once you have authenticated with both, the challenge should present itself.

PS: the php error that comes up randomly doesnā€™t mean anything afaik

@hotshoto said:

@Deadstopp said:
Hi guys,

I have managed to find both the portals, but I am having a really hard time accessing them. I have run dirbuster against bother the http and https pages with multiple wordlists with no real success.

The only clue I have at the moment is on the one page, but that hasnt gotten me anywhere on this box.

Can someone give me a nudge in the right direction please?

Iā€™m stuck at the same spot, the creds arenā€™t the default creds by the looks of it. Iā€™ve tried bruteforcing both pages but to no avail. Is there a specific wordlist that I am missing?

Default nselib worked for me.

Iā€™ve found both portals and am able to login to both. The password-only portal, I cannot seem to get a vuln to trigger. The user/pass portal, I cannot seem to find anything other than one URL param to manipulate. However, I canā€™t seem to figure out what else to try.

@everyone stuck in this thread ā€¦ you must enumerate more and read the information given to you on the various web pages and notes. Google is your friend.

hi guys, any hints regarding prv.esc. I am in as the only ā€˜intentedā€™ user. I would just hate it if this comes down to a kernel exploit , tell me this can be done with out any dirtycows etcā€¦, been up and down this box for awhile now, nothing really sticks outā€¦any hints on this box .
I see files stacking up in a directory, not sure I can exploit thisā€¦

never mind, got it :astonished:

@A113n said:
hi guys, any hints regarding prv.esc. I am in as the only ā€˜intentedā€™ user. I would just hate it if this comes down to a kernel exploit , tell me this can be done with out any dirtycows etcā€¦, been up and down this box for awhile now, nothing really sticks outā€¦any hints on this box .
I see files stacking up in a directory, not sure I can exploit thisā€¦

Iā€™m at the same point. Connected to the box with a unprivleged user but I didnā€™t find any right kernel exploit and Iā€™m really stuck.

@n1b1ru said:
Iā€™m at the same point. Connected to the box with a unprivleged user but I didnā€™t find any right kernel exploit and Iā€™m really stuck.
not quite, I was on the box as a privileged user (i.e not www-data if thats what you mean), so ā€¦enumerate more.

@A113n said:

@n1b1ru said:
Iā€™m at the same point. Connected to the box with a unprivleged user but I didnā€™t find any right kernel exploit and Iā€™m really stuck.
not quite, I was on the box as a privileged user (i.e not www-data if thats what you mean), so ā€¦enumerate more.

Not a reverse shell, Iā€™m in with a direct connection by ssh connection. After hours enumerating I found just a weird issue. I manually review, I user scripts,etc. no progress at all.

Just got root on Nineveh! Must say it is a pretty epic box. Really enjoyed it thoroughly!

just got this box was funā€¦ 10-14 hoursā€¦ only stop 40m to buy the CCC tickets ā€¦

hey @n1b1ru , how did you connect to the ssh service ? i ve scanned all ports and theres no ssh on any port, i have the info that i need to connect but theres no service ?

@shadow12 said:
hey @n1b1ru , how did you connect to the ssh service ? i ve scanned all ports and theres no ssh on any port, i have the info that i need to connect but theres no service ?

There most definitely is an SSH service running. Check for yourself on the box with netstat -a

Seems Iā€™m the only one having real trouble logging into the php portal. Should I be trying to bruteforce it like the http portal? Finding a proper failed response to get hydra to work has been a real time waste.

@abr4xas. I have had some success with Burp intruderā€¦

@hlyrad Iā€™m giving it a shot now, rockyou wouldnā€™t upload though. Even the smaller list Iā€™m using is real slow going. I think Iā€™m missing a given word list or something. Thanks for the tip anyway though.

cant find any ssh keys. anywhere after one day of searchingā€¦ if i do ssh without key it says Permission denied (publickey).
any hints on getting key or is privllege esc possiblw with www-data?

Iā€™ve been on this box for a while now, canā€™t seem to get priv-esc. I keep coming back to the process that runs every minute, but I donā€™t see any way to interact with it, even the binary is unreadable. It doesnā€™t even show up in a ā€œdpkg -Sā€. Any help would be appreciated.

@abr4xas I got hydra to work with this and it went fast after I figure out all the problems it was having with the command. So it is possible. Might be quicker to work out the kinks with Hydra then using Burp for those stuck on the same spot. Iā€™m sure by now abr4xas has moved on but just saying it is possible using Hydra.

read carefully and google it