Aragog

Aragog - 10.10.10.78

Target Enumeration:

OS: Linux
IP: 10.10.10.78
User: f43bdfbcfd3f2a955a7b67c7a6e21359
Root: 9a9da52d7aad358699a96a5754595de6

Vulnerability Exploited:

External Entity Injection to read passwd file and grab id_rsa keys.

Privilege Escalation:

Root user logs into the application with plaintext credentials, modifying the wp-login.php page to dump passwords to disk reveals a root password.

Exploiting the host:

Nmap
Dirbuster
Hosts.php
This is a strange request so build a post request to /hosts and test for external entity injection and you will find it is vulnerable to lfi
Found the user.txt
F43bdfbcfd3f2a955a7b67c7a6e21359
Vulnerable code:
Can't bruteforce ssh as it does not allow password authentication.
Grab the ssh key file
Download and chmod 400 the file and login via ssh as florian who we found in the /etc/passwd file.
Bash history
Mysql history
Mysql password located in wp-config file
This password gives you access to the mysql database
Found admin hash
Also found a comment from cliff to florian:
Now we need to access the webpage so map it locally with ssh -L and access it (add 10.10.10.78 aragog to your hosts file).
Now you can visit the wordpress application
We know from the database that the username is administrator so lets see if there are any wordpress exploits.
WPscan doesn't bring anything back and ultimately there is no way into the application.
Checking running processes every few seconds shows cliff running a python script called wp-login.py.
We can assume from this that he may be logging into the application.
We can modify wp-login.php so add the following lines under the submit button.
Wait around 1 minute and you will see that loginData.txt has appeared in the /var/www/html dir
Cat the file and you will have some credentials
Run su root to get a root shell with the password disclosed.
Vulnerable programs/ scripts: