Hogwarts: Dobby Walkthrough

CTF Link: https://www.vulnhub.com/entry/hogwarts-dobby,597/

With an hour or so to spare today, I thought I’d give the skills a bit of a refresh and download a Vulnhub CTF. With a view to writing my first ever walkthrough, I decided on an ‘Easy’ (it’s only ever easy if you know the answer!) rated CTF — Hogwarts: Dobby.

Once downloaded and run through Virtualbox, time for a quick scan:

nmap -sX -Pn -p- 192.168.56.125

Port 80 flashed up as the only open port, with a jump in to Firefox next up. The initial page was nothing more than the Apache 2 default page … but what’s that page title?

Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==

Well, that looks like Base64 to me. Put it in b64.txt and then:

base64 -d “b64.txt”

“”too easy no? Potter””

Ok, so someone taking the piss a little but is “draco” a username? Let’s keep hold of that.

Never leave a page without checking out the source….right at the bottom…

See /alohomora

Visiting 192.165.68.125/alohomora and we see a cheeky message:

“Draco’s password is his house”

so we’ve got some credentials: draco:slytherin

I can’t find much else obvious as this stage so time for a scan:

dirb http://192.168.56.125

there are some typical finds but of interest: /log

pass:OjppbGlrZXNvY2tz

hint: /DiagonAlley

What do we have here? Another password? Trying base64 decode again, AH!

“ilikesocks” — but for which account?

Taking a look at http://192.168.56.125/DiagonAlley, there’s a Wordpress blog — in spanish. If there’s a wordpress blog, there should be wp-admin….and there is: /wp-admin. A quick login with draco:slytherin and we’re in to an administrator account! Well, knowing what I know of Wordpress, and how easily it can be exploited, it’s time to get a reverse shell. Just before that though, a look around the posts, pages and comments — it’s always amazing what you can find in the trash — “that user dobby”. Another user account?

Anyway, reverse shell time. A quick search and a ready-made exploit is found at: https://github.com/wetw0rk/malicious-wordpress-plugin

Follow the instructions and before you know it, you’re sat with a meterpreter prompt! Boom.

As is my way, the first thing I do whenever I get any form of shell is check to see what user accounts there are to exploit:

cat /etc/passwd — “root” and “dobby”, that’s it.

Typing “shell” to drop in to a basic shell, I do a quick check with “whoami” and find I’m the bog standard www-data account, naturally.

Checking the directories, there’s a /home/dobby account and, just like that, “flag1.txt” which contains:

“Harry potter this year should not go to the school of wizardry”
flag1{28327a4964cb391d74111a185a5047ad}

1 down — how many to go?

Wanting a little more than this basic shell, it’s time to break out. Checking to see if Python is installed with “whereis python”, I’m delighted to see that it is and launch a shell with:

python3.8 -c ‘import pty;pty.spawn(“/bin/bash”)’

Checking for tasty executables with SUID set:

find / -perm -u=s -type f 2>/dev/null — reveals nothing of interest.

But wait — we’ve got credentials we’ve not used — “dobby” and “ilikesocks”.

su dobby (who apparently likes socks)

and I’m in to dobby’s account.

A repeat of the “find” command above reveals 2 programmes of interest:

base32 / find

base32 can be used to read privileged files….

base32 “/etc/shadow” | base32 — -decode

Alas, it just proves that “root” has no login and dobby is the only other account of interest. But what of “find”? We know that “find” can be used to execute files and if SUID is set then it executes commands with escalated privileges too. So let’s check out the /root folder:

find . -exec ls /root/ \;

ahha! proof.txt!

find . -exec more /root/proof.txt \;

root{63a9f0ea7bb98050796b649e85481845!!}

There we go — short and sweet. A really fun hour spent over lunch today. Thanks to @BertrandLorent9 for that one.

A husband, father of 3 and career military. The global interplay, Welsh rugby, information operations and cyber geekery all fuel my scribbles.