HARRYPOTTER: NAGINI
Goal : find 3 horcruxes hidden inside the machine
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Let’s start with reconnaissance.
Here is the machine welcome message and the ip.
In my case IP is 192.168.1.103
Let’s start a quick scan.
In nmap result got 2 open ports,
SSH and HTTP
So i runed a complete nmap scan on machine.
┌─[root@v0ld3rm0rt]─[~/vm/nagini]
└──╼# nmap -sV -sC -A -p- -vv -oA 192.168.1.103 192.168.1.103
Nmap scan report for 192.168.1.103
Host is up, received arp-response (0.00071s latency).
Scanned at 2021-05-07 09:08:01 IST for 10s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSJJ1ZAbIA3lP2RbpxnhknzLJqrHne4be3xTLmVEXWg7YQ6FFZ/RA1VzmrFYPlvB1t1XwopptI+nA9BSG5+hllLyCQ1pDZkhIwyGHuBLZETD8cIJTlsxVCwnh67h7eeK4hTEtjp1rUodK30juDf5u7JnkwVfo78LvM8WV1LjVrmhsZiqzy1CxAoMFpiRp3ZlvpblL3gdd0wgSNrGqEwc6qJc6Z+RKGkLbnpgTnOsc6vGLs1xFOGrHF2qFeDpUWti0ZDSN31LtP1HtNItbBKSECcFD3KrN8nPaZCa2V9GA1jrpOOAF1j0ehcRlBoFqLZzQbO9RFeIkgqGNrz3PDt7vp
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESZsj5u/F88CLIXTeBD8OgiCM2u8sKBgbvvjKccwFmCBMh3GmOHGP8qzzQwVTMkq1aN0WSIk7h8/cHCT2tZLzE=
| 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMsH4OtBIy/He42Rc6KvtI6w2855JMLVloVFy5/0Rtj4
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:9B:F3:1F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/7%OT=22%CT=1%CU=33184%PV=Y%DS=1%DC=D%G=Y%M=080027%TM
OS:=6094B623%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5
OS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=
OS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=40%CD=S)Uptime guess: 26.666 days (since Sat Apr 10 17:08:41 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.71 ms 192.168.1.103
In the port 80 only shows harrry potter image that we’ve already saw in previous machine.
Nothing found crucial so i runed gobuster on http.
┌─[root@v0ld3rm0rt]─[~/vm/nagini]
└──╼ # gobuster dir --url http://192.168.1.103/ --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.103/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/07 09:10:31 Starting gobuster in directory enumeration mode
===============================================================
/joomla (Status: 301) [Size: 315] [--> http://192.168.1.103/joomla/]
/server-status (Status: 403) [Size: 278]
===============================================================
2021/05/07 09:20:18 Finished
===============================================================In the gobuster found joomla directory.
After enumerating nothing found crucial so i runed dirbuster with some filters
┌─[root@v0ld3rm0rt]─[~/vm/nagini]
└──╼ # dirb http://192.168.1.103/ -X .php,.txt,.html,.htm
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri May 7 10:05:03 2021
URL_BASE: http://192.168.1.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php,.txt,.html,.htm) | (.php)(.txt)(.html)(.htm) [NUM = 4]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.103/ ----
+ http://192.168.1.103/index.html (CODE:200|SIZE:97)
+ http://192.168.1.103/note.txt (CODE:200|SIZE:234)Found one note.txt file.
Its a note maybe its a clue towards our next step.
So i runed a joomscan to find some intresting things like wpscan.
┌─[root@v0ld3rm0rt]─[~/vm/nagini]
└──╼ # joomscan -u http://10.0.0.16/joomla --enumerate-componentsAnd in the joomal found one config.bak file, maybe its useful to us.
Only got database username nothing more..
So i move forward with the note.txt file.
In that file user has mentioned something about HTTP3 so i searhed for it.
And got the details so i moved forward to setuped http3 client to ccall the domain.
I used these links to install and configure http3 client on my kali.
After calling the domain with http3 client got one more message.
In a message got one file /internal*************.php so i runed it on a website.
And got a simple php page.
By the heading its like Internal network resource fetching page.
So i tried to attemp some LFI and SSRF, and found its vulnerable to ssrf.
and in the /etc/passwd file we got user details
snape:x:1000:1000:Snape,,,:/home/snape:/bin/bash
ron:x:1001:1001::/home/ron:/bin/sh
hermoine:x:1002:1002::/home/hermoine:/bin/bashThen i called joomla config backup file
So i googled about ssrf exploit and got one tool.
So i genrated a simple mysql show database payload with gopherus to check the available databases;
After hitting it on the url
Found that it is working very well so now we can change the user credentials of joomla user.
use joomla; update joomla_users set password = ‘21232f297a57a5a743894a0e4a801fc3’ where username=‘site_admin’; select * from joomla_users;
After that i logged in to the joomla and upload a reverse shell on it.
So time to upload reverse shell
Got a shell.
Found one credentials file
Okay so now we got a credentials of snape.
Lets ssh into it
Now got 1 flag our of 3
horcrux_{Sly****************************Y RoN}After that we need to get more previleges,
So i searched for SUID bit file.
got one file having SUID bit and working as a cp.
So i decided to genrate a ssh key and paste it to the hermoine .ssh folder.
Okay so we got a hermoine shell and btw its my favourite character in Harry Potter (Emma Watson).
So its time to find another flag
Here is that
horcrux_{Hel**************************** by Hermione}Time to root the machine!!!
So lets find something
When i ls into the hermoine directory i found firefox folder.
I was thinking at that time, Machine is configured in CLI so what is the use of firefox folder here.
I feel suspicious so i searched for firefox credentials decrypter.
So i copyed it on my local pc and runed a forefox decrypter
We got a password
and here we are.
Got a Root !!
Wait Wait Wait…..
Task is not completed yet.
We’ve to find 3 flags to defeat Voldemort.
Here is the another one.
Now we have 5 flags.
1. horcrux_{RidDlE's **************************** of SeCrets}
2. horcrux_{maRvoLo ************************** bY DUmbledOre}
3. horcrux_{SlythEriN's ************************** bY RoN}
4. horcrux_{Helga ******************************** by Hermione}
5. horcrux_{Diadem *************************** by Harry}Mission defeat Voldermort.
