Nineveh

chrisbensch · November 9, 2017, 3:44pm

I’ve found both portals and am able to login to both. The password-only portal, I cannot seem to get a vuln to trigger. The user/pass portal, I cannot seem to find anything other than one URL param to manipulate. However, I can’t seem to figure out what else to try.

likwidsec · November 9, 2017, 10:05pm

@everyone stuck in this thread … you must enumerate more and read the information given to you on the various web pages and notes. Google is your friend.

A113n · November 11, 2017, 3:06pm

hi guys, any hints regarding prv.esc. I am in as the only ‘intented’ user. I would just hate it if this comes down to a kernel exploit , tell me this can be done with out any dirtycows etc…, been up and down this box for awhile now, nothing really sticks out…any hints on this box .
I see files stacking up in a directory, not sure I can exploit this…

A113n · November 11, 2017, 6:29pm

never mind, got it

n1b1ru · November 12, 2017, 11:59am

@A113n said:
hi guys, any hints regarding prv.esc. I am in as the only ‘intented’ user. I would just hate it if this comes down to a kernel exploit , tell me this can be done with out any dirtycows etc…, been up and down this box for awhile now, nothing really sticks out…any hints on this box .
I see files stacking up in a directory, not sure I can exploit this…

I’m at the same point. Connected to the box with a unprivleged user but I didn’t find any right kernel exploit and I’m really stuck.

A113n · November 12, 2017, 1:51pm

@n1b1ru said:
I’m at the same point. Connected to the box with a unprivleged user but I didn’t find any right kernel exploit and I’m really stuck.
not quite, I was on the box as a privileged user (i.e not www-data if thats what you mean), so …enumerate more.

n1b1ru · November 12, 2017, 6:04pm

@A113n said:

@n1b1ru said:
I’m at the same point. Connected to the box with a unprivleged user but I didn’t find any right kernel exploit and I’m really stuck.
not quite, I was on the box as a privileged user (i.e not www-data if thats what you mean), so …enumerate more.

Not a reverse shell, I’m in with a direct connection by ssh connection. After hours enumerating I found just a weird issue. I manually review, I user scripts,etc. no progress at all.

Deadstopp · November 13, 2017, 8:57am

Just got root on Nineveh! Must say it is a pretty epic box. Really enjoyed it thoroughly!

rek2 · November 21, 2017, 1:39pm

just got this box was fun… 10-14 hours… only stop 40m to buy the CCC tickets …

shadow12 · November 21, 2017, 2:05pm

hey @n1b1ru , how did you connect to the ssh service ? i ve scanned all ports and theres no ssh on any port, i have the info that i need to connect but theres no service ?

likwidsec · November 23, 2017, 1:26am

@shadow12 said:
hey @n1b1ru , how did you connect to the ssh service ? i ve scanned all ports and theres no ssh on any port, i have the info that i need to connect but theres no service ?

There most definitely is an SSH service running. Check for yourself on the box with netstat -a

brax · November 23, 2017, 4:34pm

Seems I’m the only one having real trouble logging into the php portal. Should I be trying to bruteforce it like the http portal? Finding a proper failed response to get hydra to work has been a real time waste.

hlyrad · November 23, 2017, 5:12pm

@abr4xas. I have had some success with Burp intruder…

brax · November 24, 2017, 6:45am

@hlyrad I’m giving it a shot now, rockyou wouldn’t upload though. Even the smaller list I’m using is real slow going. I think I’m missing a given word list or something. Thanks for the tip anyway though.

looping · December 1, 2017, 6:41am

cant find any ssh keys. anywhere after one day of searching… if i do ssh without key it says Permission denied (publickey).
any hints on getting key or is privllege esc possiblw with www-data?

cdf123 · December 1, 2017, 5:46pm

I’ve been on this box for a while now, can’t seem to get priv-esc. I keep coming back to the process that runs every minute, but I don’t see any way to interact with it, even the binary is unreadable. It doesn’t even show up in a “dpkg -S”. Any help would be appreciated.

JoeDev · December 1, 2017, 6:41pm

@abr4xas I got hydra to work with this and it went fast after I figure out all the problems it was having with the command. So it is possible. Might be quicker to work out the kinks with Hydra then using Burp for those stuck on the same spot. I’m sure by now abr4xas has moved on but just saying it is possible using Hydra.

peek · December 1, 2017, 7:02pm

read carefully and google it

brax · December 2, 2017, 12:26am

@JoeDev yeah I eventually got it going with hydra. Learned a lot about using the program to eventually discover I had a dumb typo in my original cmd.

JoeDev · December 2, 2017, 12:35am

@abr4xas haha me to I had an upper case L that needed to be lowercase. Interesting.