HOGWARTS: DOBBY Writeup

Hey folks! dobby , another boot2root challenge and a easy box created by Hogwarts. here is the link to download this VM:- https://www.vulnhub.com/entry/hogwarts-dobby,597/

1.) Target Discovery

‘# netdiscover -i wlan0’

The ip address of target VM is ‘192.168.1.8’ .

As many VMs have port 80 running on them so I directly jumped on the web browser without nmap scan to check is their any web service running on the VM ??

And yes we have a web service running on this VM, but it is a default apache page.

In the source code of the page I found something interesting. The comment in page source pointing towards ‘/alohomora’ directory.

Well in ‘/alohomora’ directory we found a hint for credential for user Draco. ‘The draco’s house’ . I don’t know what is the name of draco’s house or who is draco, but I know that this VM is based on “harry Potter’s” theme

So with the help of google I found the right password for the user Draco, which is slytherin.

Till now I had user ‘Draco’ and password ‘slytherin’ ,but I don’t had any login form or page to use these credential.

To enumerate web more I used gobuster for directory brute-forcing.

In gobuster’s result I fond a page ‘log’.

The log page point towards another directory ‘/DiagonAlley’.

And in that directory I found a wordpress installation.

3.) Uploading Shell

So I have found wordpress installation and right credentials for the user Draco to login.

For reverse shell I used Metasploit’s module “exploit/unix/webapp/wp_admin_shell_upload” with credential ‘Draco:slytherin’.

And I got the meterpreter session.

4.) Privilege Escalation

‘$ find / -perm -u=s -type f 2>/dev/null’

I fired the above command to get the list of binaries who had SUID permissions.

I found ‘find’ command had SUID permission, To exploit this and get the root shell I used the below command.

‘$find . -exec /bin/sh -p \; -quit’

Successfully got the root privilege and the ‘proof.txt’ flag.

Rooted :)