HackTheBox - Aragog

IppSec · Beginner ·🔧 Backend Engineering ·7y ago

Key Takeaways

Exploits XXE vulnerability on a HackTheBox machine using FTP and PHP

Original Description

01:26 - Start of Recon 03:25 - Notice SSH configured for Pub Key Only. Hint at what to grab later! 03:50 - Grabbing test.txt off ftp server via anonymous auth 04:07 - Determining if I want to go down the "Exploit VSFTPD" rabbit hole 05:54 - Viewing test.txt and hosts.php 06:48 - Figuring out how hosts.php works and discovering XXE 08:58 - Start of XXE Discovery 10:16 - Making the XXE Output /etc/passwd 11:33 - Encoding output in Base64 in order to view PHP Files 12:58 - Using Burp Intruder to BruteForce Files 16:20 - Creating a program to bruteforce home directories 26:41 - Program Finished. Finding SSH ID_RSA Key 28:15 - Low Priv Access Granted 30:24 - LinEnum.sh shows Wordpress CHMOD'd to 777 31:05 - Examining Wordpress Site (big hint left by author) 32:10 - Enumerating MySQL Database 35:15 - Giving up on MySQL, lets edit PHP Files to dump passwords! 36:50 - Identifying the file we want to backdoor 37:51 - Placing our PHP Code 42:06 - Got the password!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 49 of 60

1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related Reads

📰
atob() can't decode a JWT — the Base64URL gotcha (and the fix)
Learn how to fix the Base64URL decoding issue with atob() when working with JWTs
Dev.to · Daniel Cheong
📰
Why Debugging Made Me a Better Developer
Debugging improves development skills by teaching problem-solving and code analysis, making you a better developer
Medium · JavaScript
📰
Mapping Go Domain Errors to HTTP Status Codes at the Boundary
Learn to map Go domain errors to HTTP status codes at the boundary for cleaner code and better error handling
Dev.to · Gabriel Anhaia
📰
The dual-write problem in NestJS, solved with Drizzle: a transactional outbox + idempotent inbox
Learn to solve the dual-write problem in NestJS using Drizzle, a transactional outbox and idempotent inbox, to ensure data consistency in event-driven backends
Dev.to · Rodrigo Nogueira

Chapters (20)

1:26 Start of Recon
3:25 Notice SSH configured for Pub Key Only. Hint at what to grab later!
3:50 Grabbing test.txt off ftp server via anonymous auth
4:07 Determining if I want to go down the "Exploit VSFTPD" rabbit hole
5:54 Viewing test.txt and hosts.php
6:48 Figuring out how hosts.php works and discovering XXE
8:58 Start of XXE Discovery
10:16 Making the XXE Output /etc/passwd
11:33 Encoding output in Base64 in order to view PHP Files
12:58 Using Burp Intruder to BruteForce Files
16:20 Creating a program to bruteforce home directories
26:41 Program Finished. Finding SSH ID_RSA Key
28:15 Low Priv Access Granted
30:24 LinEnum.sh shows Wordpress CHMOD'd to 777
31:05 Examining Wordpress Site (big hint left by author)
32:10 Enumerating MySQL Database
35:15 Giving up on MySQL, lets edit PHP Files to dump passwords!
36:50 Identifying the file we want to backdoor
37:51 Placing our PHP Code
42:06 Got the password!
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →