Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

Hackthebox Aragog Walkthrough

Hackthebox Aragog Walkthrough:

Nmap Result

FTP allow anonymous login, further enumeration reveal “test.txt” file.

The content of the “test.txt” file look like XML structure. First thing come to my mind, XXE? Next, let’s analyze http port found earlier. As usual, fire up dirbuster to bruteforce directories and files. To cut it straight, dirbuster result found “hosts.php” file.

It seems a subnet calculator and assuming “hosts.php” maybe parsing XML, let’s try what we found in ftp.

It works! The next step is to craft our XXE payload and extract information from the server. Our enumeration result said there is user “florian” and “cliff”. Enumeration result also tell us that there is a ssh public key in “/home/florian/.ssh/id_rsa”. Since our nmap result mentioned earlier tell us port 22 is open. Let’s try to SSH as  “florian”.
Yes!! Now we got into florian account, grab the “user.txt” and submit.Next, again enumeration is important. You can use LinEnum or LinuxPrivChecker. So, to cut it short our enumeration result found there is directory “dev_wiki”. If we try to access from the browser we will find that the links point to a domain (aragog) so we will have to add the domain to “/etc/hosts” file to get the page.
While browsing the wordpress page, i found a clue which is:

From the clue, cliff said:

I’ll be logging in regularly and will email the wider team when I need some more testers 😉

Since we can edit files in “dev_wiki” and the clue mentioned that cliff will be logging in regularly. I amend the user.php file as below:

Wait for a while, then we will see “logs.txt” file created which contain administrator password.

[email protected]:/var/www/html$ cat logs.txt
Administrator !KRgYs(JFO!&MTr)lf
Now, login as root with the credential.

Root Dance!!

This website use cookies to ensure that you have the best experience on this website.