Hi, this is a walkthrough of the vulnhub Harry Potter: Argaog. This machine is created by Mansoor R and can be downloaded from vulnhub.
The very first step is to find all the open ports on the target machine. I used nmap to find all open ports.
Only a couple of ports open 22 and 80. Let’s run map again to detect service version of these ports.
Nothing interesting when opened IP in a browser.
Then I used gobuster to enumerate web directories and pages.
Visiting /blog in a browser shows its a Wordpress site. To confirm its further I again ran gobuster on /blog.
I used wpscan to scan the Wordpress, but unable to find anything useful. After spending some time I used metsaploit auxilary scanner to scan Wordpress.
/auxiliary/scanner/http/wordpress-scanner
This gives me the path to get the foothold on the box. Below is the result.
The wp-file-manager version < 6.9 is vulnerable to unauthenticated arbitrary file upload resulting in full compromise of the system. I found the good shell script to exploit this vulnerability on github. The more details can also be found at this medium link.
I downloaded it on the attacking machine, it just needs the URL and the file to upload to get shell. Used php-backdoor.php after updating IP address.
Started the netcat listener on kali on port 1234.
Visited the below URL in a browser:
http://<your-IP>/blog/wp-content/plugins/wp-file-manager/lib/files/rshell.php
Got the shell on the box.
To enumerate the box further, I used linPEAS.sh. LinPEAS found db-username and password as well as some backup.sh file owned by user hagrid98
Used above creds to login into the database. Found wp-admin password hash. The wp-admin is none other than hagrid98 .
Cracked the hash using the john and it gives me the password for wp-admin (hagrid98) user.
Able to successfully login as hagrid98 user with above password.
Used pspy to find the jobs running in the background, and found a .backup.sh is running after a few minutes by user root.
Appended the reverse shell payload to the file /opt/.backup.sh
Started the netcat listener on port 5555 on kali to get the reverse shell, and got it.
Hope you like it. Thanks for reading.