Aragog Box Writeup & Walkthrough – [HTB] – HackTheBox
This article shows how to hack the Aragog box and gain both user.txt and root.txt step by step based on Kali Linux and tools.
Introduction
Aragog is a machine on the HackTheBox Platform.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article shows how to hack the Aragog box and get root permission.
Enumeration
Before attacking Aragog box, we first need to enumerate open ports. Execute the following command to run a nmap scan. The scan is able to identify open ports.
|
|
We identify that there are 3 ports open.
- FTP service running on the port 21.
- SSH service running on the port 22.
- HTTP service running on the port 80.
Then, we enumerate HTTP service and check if we can find anything from the website.
We find that there is a PHP file (hosts.php). We now finish the initial enumeration, and we move to the next step.
Hack Aragog Box
Obtain User.txt
Hack FTP Server
We know that there is an FTP service. For FTP, there are few vulnerabilities, such as weak credential. First, let us attempt to log in the FTP service via anonymous user.
We use the following credential to log in the FTP service.
Username: ftp
Password: ftp
After logged into the FTP service, we obtain a TXT file, we are able to download this file by using “get” command.
We then check the content of the TXT file, it is an XML file, but we do not know how and where to use it yet.
Hack HTTP Service
Then, we move to HTTP service, open browser and navigate to the web application.
Observe that the web application displayed a message:
There are 4294967294 possible hosts for
After googled, we find that the number 4294967294
is related to subnet-mask. The TXT file is also related to subnet-mask. Therefore, I assume that we can submit malicious request to the endpoint (hosts.php) and the malicious request can be created based on the above TXT file (test.txt).
Obtain User.txt
We open Burp and browser, navigate to the hosts.php page, intercept the “GET” HTTP request, and send it to repeater.
Then, we change it to “POST” method, and the post content is the TXT file’s content.
We find that the website returns a valid response, and calculates the possible hosts.
The POST content is XML format, therefore, the website maybe vulnerable to XXE vulnerability. Let’s create a payload and attempt to read /etc/passwd
file.
For obtain user.txt, we just need to change the file location to user.txt file.
Obtain Root.txt
Now, we are going to obtain root.txt. For gaining root access, we have to do privilege escalation.
We first need to get a shell before performing privilege escalation. As we scanned before, SSH service is running on this server.
As you may know, SSH has two ways to login, one way is using credential, another way is using key, we can obtain the user’s SSH key by reading the local SSH key file (id_rsa).
We copy the key into the local Kali machine and use it to log into the target server.
Then we go to the web directory (/var/www/html).
There is a folder, which called “dev_wiki”. We visit it on our browser.
Based on the website, we know that “Cliff” user reset the website regularly and the website uses WordPress CMS. Therefore, if we can capture the user’s Username and Password. We may be able to log in as Cliff user or root user. We may be able to use the credential to log into the server as root user. (The user may reuse the password)
We then edit wp-login.php file, and add following content in the file.
|
|
After a few minutes, we successfully obtain the user’s credential.
We log in to the server again by using the above credential, and we log in successfully.
Summary
This box is not too difficult. I spent most of the time on the initial step (around 3 hours). I was thinking that it was code injection vulnerability, I attempted several payloads, but they did not work. After I identified it was XXE, everything was easy.