Vulnhub - HOGWARTS: DOBBY
Introduction
dobby needs to be root to help harry potter, dobby needs to be a free elf
Difficult: Easy
This works better in VirtualBox
This is HOGWARTS: DOBBY from Vulnhub.
Ports
HTTP only; makes targeting easier.
HTTP and Rabbits
This one has a few rabbitholes, or at least red herrings. The page title on the website homepage is:
Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==
This decodes to:
too easy no? Potter
This doesn’t appear to be useful for anything.
At the very bottom of the page in the source code is a comment:
See: /alohomora
If we go there, we get a message:
Draco’s password is his house ;)
Gobuster
Gobuster finds a directory called /log. It says:
pass:OjppbGlrZXNvY2tz
hint –> /DiagonAlley
The base64 encoded string decodes to:
::ilikesocks
This doesn’t appear to be useful for anything.
Going to /DiagonAlley, we find a Wordpress installation. Maybe we’re getting somewhere?
wpscan
Enumerate with:
wpscan -e --url http://192.168.1.143/DiagonAlley/
And we have one user, draco. We find a post entitled Dobby that is written in what appears to be brainfuck, but running it through an interpreter only yields what might be a partial password - this is another distraction. Let’s run a password attack:
wpscan --url http://192.168.1.143/DiagonAlley/ -U 'draco' -P /usr/share/wordlists/rockyou.txt
Success:
Apparently the hint from /alohomora wasn’t a red herring. Whatever.
Wordpress
The installation is in Spanish (I think) so it’s a bit hard to read but I can upload a malicious plugin as a zip file (see midnight for details). This gets me a shell.
Privesc
As usual, run linpeas from /dev/shm after upgrading my shell:
This gives us not one but two SUID binaries of interest - base32 and find. We’ll take find as per GTFOBins
This box didn’t have cat but it still had head and less so no problem. Done and done.