Monday, May 30, 2022

HTB Walkthrough - Aragog

 Aragog


Okay let’s look at this medium rated box running Linux.

As always, let's start with our nmap scan.



As we can see we have ftp, http and ssh ports open. Let’s inspect the ftp service as we can already see that we have test.txt there which is readable.



We can see some sort of XML like data with <subnet_mask> and <test> as variables. They might come handy elsewhere. Let’s keep enumerating other services.


We also have port 80 and might find something interesting.



We find this in the main home page; looks like we were redirected to /hosts.php. As we can see It says that there are 4294967294 hosts. This number is the number of hosts present in a subnet with mask /0. So this means it’s calculating the default number of hosts for a provided subnet. However, we have not provided any value for it to change. So let's look for a way to provide it with some mask so it calculates the possible hosts correctly.


When we look back and remember, the data present in test.txt matches some XML input! Lets try with that.


It does work! XML data has a tendency to be vulnerable towards the XML eXternal Entity attacks. Let’s try to ask for /etc/passwd using XXE.



Oh it works! Nice. In the result we can see a user Florian. Let’s try and ask for the user’s id_rsa so we can login through ssh.



Wowow, this is my first! We have the id_rsa. Now let’s just try and login using this id_rsa.



Here we go! We now have a shell as Florian! Good job to myself.


Now let's move on to getting root.

We know we have some data in /var/www. It might contain db creds where the passwords normally match that of the real user. So let’s take a look.



Okay, so dev_wiki is readable and writable by all. So we have a new route /dev_wiki to go to! 


Looks like it is a Wordpress site running. Let’s traverse to /dev_wiki to see what it has.


Ohhkayy, the blog gives us this message in the homepage. Cliff says that he’ll be logging in regularly and also backup fairly frequently. So that means maybe we can catch Cliff logging in before he backs the system up.


So, I change the wp-login.php file and add some of my own code to gather the credentials when Cliff logs in.



Okay, so we’re all ready. Now when Cliff logs into wordpress again; we’ll have the login credentials saved in /tmp/user_data.


After some time I look at /tmp and there it is!, the user_data file.



There we go! So, now I try to use this password to login as Cliff but it doesn’t work! Although, when I try it for the root user it works!



Nice! The absolute keylogging technique worked and now I’m root! 
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Easy shellcode encryption and decryption using AES in C/C++

 I'm writing this blog post as I came across this problem myself while trying to encrypt and decrypt my shellcode while writing malware....