HOGWARTS: BELLATRIX Writeup

Hey folks ! today I have another boot2root challenge “HOGWARTS: BELLATRIX” created by “BLY” . It’s a intermediate box and here is the link where you can downlaod this VM:-https://www.vulnhub.com/entry/hogwarts-bellatrix,609/

1.) Target Discovery

‘# netdiscover -i wlan0’

The ip address of the target VM is ‘192.168.1.7’

2.) Port Scanning and Service Detection

‘# nmap -sTV -p- 192.168.1.7’

I found two ports 22 and 80.

3.) HTTP Enumeration

The web page looks like its giving me some kind of hint, so let’s check out the source code of the page.

In the source code section I found an interesting hint by the author that he is pointing us toward “ikilledsiriusblack.php” file and a comment of php code which shows that the page may get a parameter ‘file’

So lets try to hit the page ‘ikilledsiriusblack.php’

And I was right a page exist with that name, so lets check this page that it takes a ‘file’ parameter or not.

Yes It’s taking a ‘file’ parameter and through which I can read ‘/etc/passwd’ file

And I was able to see the ssh ‘auth.log’ file in ‘/var/log/’ location.

It means I can poison the ssh log to get the reverse shell

To poison the logs I fired a couple of commands to poison the ssh log

‘#nc 192.168.1.7 22’

“user ‘<?php system($_GET[‘c’]); ?>’ ”

I passed the php code to poison the log of ssh with netcat. If my poisoning is successful then the php code will get ‘c’ parameter to take a command from user and execute it on the server.

So let’s check it.

And I got the response of my ‘id’ command on the web page.

4.) Reverse shell

I got the reverse shell from command execution on the web.

This VM had two users ‘bellatrix’ and ‘lestrange’.

In the bellatrix’s home directory I got the user flag. now it’s time to escalate our privilege.

5.) Privilege Escalation

In ‘/var/www/html/’ I got an interesting base64 encoded directory in which lestrange’s(Local User) encrypted password and a wordlist was there.

So I simply copied the encrypted password file and wordlist to my local host and cracked that password using JohnTheRipper

‘# john — wordlist=password.txt hash’

I found the right password for user ‘lestrange’ which is ‘ihateharrypotter’

After getting the password of user ‘lestrange’ ,I switched my user to it and tried to check which commands I can run with sudo.

YEHH! I can run ‘vim’ as root and with the help of ‘vim’ command I can execute any command as root. Let’s exploit it.

“$sudo vim -c ':!/bin/sh' "

Finally got the root privilege and ‘root.txt’ flag.

ROOTED :) !!

twitter :- @Exploiter_21