Vulnhub Harry Potter Aragog — Walkthrough
Import the Vulnerable machine in your virtual box. Change the Network settings to bridged adapter so that you can access the machine.
Let’s get started !
Inital Scanning
Nmap Scan
We can see that our machine is hosting a website and the ssh port is open. Let’s check out the website.
Dirbuster
Use dirbuster to find the directories
We found ‘/blog’ directory
Note
Configue the /etc/hosts to access other hyperlinks
By Looking at footer of the website we are able to confirm that it is a wordpress website and we can confirm it using wappalyzer
Metasploit
scan for vulnerability
we use this module in metasploit to scan for the vulnerability.
we found a exploit on msf
run the exploit with the following options
Run the exploit
we got the meterpreter shell.
In the home directory we can see two folders
Inside hagrid’s folder we found the First Horcrux
Here is the first Horcrux
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}Now we need to privelate the user permission
We found the DB login details
Login to the database with the credentials
we got the user password hash.
Crack the hash with john the ripper.
ssh to hagrid98 with the password
Now its time to escalate to the root user.
Use pspy to find the process running in the backgound here is a guide on how to get started with pspy
we found that backup.sh is running in background with interval and it is running as the root user.
Re-write the .backup.sh with a reverse shell.
Online — Reverse Shell Generator
run a listener on netcat and after sometime you will get the root shell
The second Horcrux
horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}
Decode the Horcrux with base64:
1: RidDlE’s DiAry dEstroYed By haRry in chaMbEr of SeCrets
2: maRvoLo GaUnt’s riNg deStrOyed bY DUmbledOre
