This is my write-up for the machine on Hack The Box called Nineveh located at:

I started off with a basic nmap scan:

One of the tags on the machine was for Port Knocking:

This gave me the idea that I might have to knock a port later on to get into it. While I was doing some research my full nmap scan (nmap -T4 -A -v -p- -Pn -oN nineveh.nmap) came back:

It seems to represent the same information that the basic nmap scan had provided. The main page seems to be a default home page that seems standard:

Running dirsearch on the IP address led me to the following page:

Looking at the source code, I found the following:

It seems that there is a username of amrois. In addition, I have learned that MySQL has been installed on the server. I then ran dirsearch on the /department on the folder:

I am not able to access either of those sites, since I need to log in to the website first. Using the username amrois, I got the following:

However, when I enter the username admin, I get the following:

It seems that amrois might be an MySQL admin username or something else. Running hydra on the admin user got me the following:

I was into the website:

I also saw the following on the main page:

The link looks (at a basic glance) to be vulnerable to File Inclusion:

I accessed the website on port on 443 (HTTPS) and saw the following:

Running dirsearch on port 443 gives different results:

Going to the /db folder, I see the following:

Searching for phpLiteAdmin on Exploit Database I see the following:

I tried to run hydra on the password field, and it worked:

I then made a new database using the button on left side:

This is from the following Exploit Database link: I then made the table called "testing":

I viewed this write-up and noticed that they were able to get the contents of /etc/passwd, by using LFI. I then followed their request and got the following:


Last updated