Running an nmap scan on our Aragog box we can see SSH is running as well as an Apache HTTP server.
We went to the IP address in a browser, found a cool picture of my main man Harry and the gang fighting off he-who-shall-not-be-named but no other relevant information.
Surely, there is a reason there is an Apache server running so to learn more let’s run a scan. Dirb is a Web Content Scanner, (Find more info here), using it against Aragog’s IP, we discover a few directories.
We used the -r scan to save ourselves some time and not search each directory recursively. We did discover Aragog has a /blog/ directory so browsing to that, we see a barebones wordpress blog set up.
WPscan is a tool that I had not come across prior to this. WordPress was/is an extremely popular content management system for blogs and other websites that allowed just about anyone to make edits or updates to a website regardless of how technology obtuse they may be. I was wondering how popular WordPress still is today, I had not really considered it for probably 10 years and found a good blog entry here. As I suspected, it’s still extremely popular, much of it due to the huge variety of plug-ins and themes available. What makes it so popular is also what makes it insecure, mainly that it is very modular, you can install community written plug-ins and themes, and it is geared towards those a less technically inclined, which results in less frequent updating and patching out of fear for “screwing things up”.
WPscan is therefore a very useful tool for discovering vulnerabilities that may be lurking on your webpage or blog.
Here is one of the vulnerabilities our scan picked up which allows for remote code execution. A pretty cool feature of the Metasploit Framework is how searchable it is. Just running search CVE-2020–25213 gives us a result that we can use.
Filling out our options and running it we get some good results and get a shell into Aragog. Poking around we find our first horcrux (flag) in /home/hagrid98 and in /etc/wordpress we find a config file with a password stored in cleartext.
I don’t have much experience with MySQL so I got a little help on this part (which you can view here) but we get access to a password hash for hagrid98 which we cracked with John the Ripper. (Mental note, learn some MySQL commands and navigation)
We can SSH into Aragog with hagrid98’s credentials MySQL credentials and now we need to get escalated privileges.
Trying to SSH as root with the password mySecr3tPass didn’t work so we will have to find another way.
Pspy is a very cool tool that shows processes without needing root permissions. Finding things running in the background that can potentially be exploited is very valuable. For a good write up of pspy and installation instructions check out this When we ran pspy here we discovered a backup script running intermittently.
Lucky us, .backup.sh is owned by hagrid98 and not root, which means we will be able to edit that file. Thanks to WordPress it can be assumed that php is running so popping a php reverse shell should be possible, and by attaching a reverse shell script to .backup.sh we can run the script when the .backup.sh runs.
Copying the php reverse shell script that comes on Kali Linux (/usr/share/webshells/php/php-reverse-shell.php) into the temp folder, editing it to point to our Kali box and then listening via nc.
Edit the .backup.sh to run the reverse shell
Set up our listener to port 1234 on our Kali box and success!
Root access and the final horcrux can be found in /root/. I’ll let you decode the horcruxs and discover what they mean for yourself.
What did I learn? Well, first all the credit in the world to https://www.0x1ceb00da.net/harry-potter-aragog/ because I am not experienced enough to figure all this out on my own and I thought they did some very clever things to get the horcruxs.
Dirb: Dirb is a tool that discovers web directories by making HTTP requests, using a wordlist and see the HTTP response for each request.
Here’s a nice post from Tech Zoom that can help get you going with dirb.
WPscan: WPscan, scans a target server with WordPress installed and determines what vulnerabilities exist and can give further information, the version of WordPress being ran, the theme, plugins that may be being used and other information that helps us enumerate the website. Using this to scan for vulnerabilities is a quick and dirty way to get CVEs which we can then exploit. Update your stuff people!!
https://linuxconfig.org/use-wpscan-to-scan-wordpress-for-vulnerabilities-on-kali
https://www.wpwhitesecurity.com/why-malicious-hacker-target-wordpress/
Pspy: pspy is a very cool tool which monitors processes and may discover cron jobs. It does this by monitoring /proc/ and /usr to catch short-lived processes. And what’s even cooler than that is the way in which 0x1ceb00da attached a reverse webshell to a backup job and popping a webshell. This was a very clever trick that achieved our result quickly and painlessly!
Again, not trying to take credit for the exploits done in this CTF, but simply trying to learn as much as I can, document some things that I learned and keep enjoying myself because these are FUN! Again, thank you to the resources that I used and Mansoor (@time4ster) for creating this!