Hi all!! In this write-up I will walk you through how to get root access on the Vulnhub Harry Potter: Nagini. This is the second machine of the Harry Potter series by the creator Mansoor R. I would really say that to get the initial shell on the box was really difficult for me.
If you also want to try you can download it from this link.
Let’s begin with nmap scan for all open ports. Only couple of ports are open.
Let’s detect the running services and their versions.
When I opened the page in the page in the browser, below image was displayed.
I downloaded this image on my local machine used exiftool, strings to find hidden message if any, but no luck. Then I used gobuster to enumerate the directories and web pages. The gobuster gives couple of important hints, note.txt and joomla.
When opened note.txt in browser, it has below hint.
So I updated hosts file on my local machine with the above entry for the IP address of nagini machine. Again used gobuster on this, but of no use. I searched for HTTP3 on google and came across the github page.
Downloaded and make a build of it on my local machine. This program supports HTTP3.
After opening the URL with curl that support httpv3, it says there is some php page “internalResourceFeTcher.php” is running. I visited the page in the browser.
I tried for both LFI and RFI, but it did not work for me, as it is taking the URL as parameter possibility that it is vulnerable to SSRF (Server Side Request Forgery), for checking that I tried to open the note.txt and able to read it.
It is also possible to read sensitive file using SSRF using ‘file’ schema so I used file:///etc/passwd and it gave me the contents of the passwd file.
I tried to read some other files like id_rsa or authorized_keys etc. but failed. Then I turned out towards Joomla and scan it using joomscan. It gave me the backup of the configuration.php file.
Downloaded the backup file on my local machine and it has below information.
I downloaded the configuration.php file using SSRF but the contents of both the files are same.
After spending hours I am unable to make any progress, while reading about the SSRF, I came across this article, and decided to give it a try. But to use this we need to know the db username, db name etc. which we have from backup file. So I tried to fetch the users from joomla_users table from joomla db.
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%28%00%00%00%03%55%53%45%20%6a%6f%6f%6d%6c%61%3b%20%53%45%4c%45%43%54%20%2a%20%66%72%6f%6d%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%3b%01%00%00%00%01
This gave me the contents of the joomla_users table.
After this, I tried to create a new admin but my query failed, so decided to change the password for existing admin. I decided to set the password as “admin2” MD5 hash of the password “c84258e9c39059a89ab77d846ddab909".
USE joomla; UPDATE joomla_users SET password = ‘c84258e9c39059a89ab77d846ddab909’ WHERE email= ‘site_admin@nagini.hogwarts’;
I am able to successfully update the password of site_admin with the new password.
Now from here, just need to add the PHP RCE payload, and we are done. For detail, follow steps mentioned here.
Visit the URL “http://192.168.1.11/joomla/templates/protostar/my_shell.ph” pin browser.
RCE:
Copied the reverse shell payload, made changes to get reverse shell and started the netcat listener on local host on port 4242.
After gaining shell, when I checked found two users on box snape and hermoine. I am able to read some files for their home directories.
Creds for user snape.
With this password, I am able to login as snape user. The find command showed a guid binary owned by user hermoine.
The binary is nothing but the binary for cp with name changed.
Privilege Escalate to user hermonie
To escalate my privilege to user hermonie, I decided to generate the ssh keys and copy it to .ssh directory of the user hermoine.
Then copied id_rsa.pub key to the /home/hermoine/.ssh/authorized_keys using suid binary.
SSH as hermoine:
In home directory of hermoine, there is a .mozilla directory.
So I decided to recover the username and password from it. I used a firefox_decrypt script for that.
Copied the whole .mozilla folder on my kali machine. Clone the firefox_decrypt on Kali and recovered the username and password.
Root Flag:
It is really a good box to get the initial foothold. SSRF is interesting.
Hope you like it. Thanks for reading.
