Import the Vulnerable machine in your virtual box. Change the Network settings to bridged adapter so that you can access the machine.
Let's get started !
Inital Scanning
Nmap Scan
We can see that our machine is hosting and the ssh port is open. Let's check out the website.
Dirbuster
Use dirbuster to find the directories
We found '/blog' directory
Note
Configue the /etc/hosts to access other hyperlinks
By Looking at footer of the website we are able to confirm that it is a wordpress website and we can confirm it using wappalyzer
Metasploit
Scan for vulnerability
we use this module in metasploit to scan for the vulnerability.
we found a exploit on msf
run the exploit with the following options
Run the exploit
we got the meterpreter shell.
In the home directory we can see two folders
Inside hagrid's folder we found the First Horcrux
Here is the first Horcrux
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw==}
Now we need to privelate the user permission
linpeas
Upload the lipeas.sh to the server
run linpeas
We found the DB login details
Login to the database with the credentials
we got the user password hash.
Crack the hash with john the ripper.
ssh to hagrid98 with the password
Now its time to escalate to the root user.
Use pspy to find the process running in the backgound here is a guide on how to get started with pspy
https://vk9-sec.com/how-to-enumerate-services-in-use-with-pspy/
we found that backup.sh is running in background with interval and it is running as the root user.
Re-write the .backup.sh with a reverse shell.
https://www.revshells.com
run a listener on netcat and after sometime you will get the root shell
The second Horcrux
horcrux_{MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIGJZIERVbWJsZWRPcmU=}
Decode the Horcrux with base64:
1: RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets
2: maRvoLo GaUnt's riNg deStrOyed bY DUmbledOre
Top comments (0)