Aragog – 10.10.10.78

Target Enumeration:

OS: Linux

IP: 10.10.10.78

User: f43bdfbcfd3f2a955a7b67c7a6e21359

Root: 9a9da52d7aad358699a96a5754595de6

External Entity Injection to read passwd file and grab id_rsa keys.

Root user logs into the application with plaintext credentials, modifying the wp-login.php page to dump passwords to disk reveals a root password.

Nmap

Dirbuster

Hosts.php

This is a strange request so build a post request to /hosts and test for external entity injection and you will find it is vulnerable to lfi

Found the user.txt

F43bdfbcfd3f2a955a7b67c7a6e21359

Vulnerable code:

Can’t bruteforce ssh as it does not allow password authentication.

Grab the ssh key file

Download and chmod 400 the file and login via ssh as florian who we found in the /etc/passwd file.

Bash history

Mysql history

Mysql password located in wp-config file

This password gives you access to the mysql database

Found admin hash

Also found a comment from cliff to florian:

Now we need to access the webpage so map it locally with ssh -L and access it (add 10.10.10.78 aragog to your hosts file).

Now you can visit the wordpress application

We know from the database that the username is administrator so lets see if there are any wordpress exploits.

WPscan doesn’t bring anything back and ultimately there is no way into the application.

Checking running processes every few seconds shows cliff running a python script called wp-login.py.

We can assume from this that he may be logging into the application.

We can modify wp-login.php so add the following lines under the submit button.

Wait around 1 minute and you will see that loginData.txt has appeared in the /var/www/html dir

Cat the file and you will have some credentials

Run su root to get a root shell with the password disclosed.

Vulnerable programs/ scripts: