Capture the flag (CTF)

HOGWARTS: DOBBY VulnHub CTF Walkthrough

LetsPen Test
February 24, 2022 by
LetsPen Test

As per the information provided by the author, the goal of the CTF is to gain root access to the target machine. The difficulty level is marked as easy. Pre-requisites would be to know Linux commands and the ability to run some basic pen-testing tools.

The torrent downloadable URL is available for this VM; it's been added in the reference section of this article.

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

  1. Getting the IP address with the Netdiscover Utility
  2. Getting open port details by using the Nmap Tool
  3. Enumerating HTTP Service with Dirb Utility
  4. Logging in into WordPress and Exploiting
  5. Escalating local privileges to get the root access 

So, now that we have all the information we need, let us get started with the challenge.  

The walkthrough

Step 1

The first step is to run the Netdiscover command to identify the target machine's IP address. In the screenshot given below, we can see the Netdiscover command, which lists all the available IP addresses.

Command used: << netdiscover >>

In the above screenshot, it can be seen that we have identified the IP address of all the devices connected to our router. Still, we have hidden the MAC address of my personal connected devices due to security reasons. Our target machine IP address that we will be working on throughout this challenge is 192.168.1.13 (the target machine IP address). We will be using 192.168.1.15 as the attacker's IP address. 

Note: the target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

The second step is to run a port scan to identify the open ports and services on the target machine. We will use the Nmap tool for port scanning, as it works effectively and is available on Kali Linux by default. In the highlighted area of the following screenshot, we can see the Nmap command we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.

Command used: << nmap 192.168.1.13 -p- -sV >>

In the Nmap Command, we used '-sV' option for version enumeration and '-p-'for full port scan, which means we are telling Nmap to conduct the scan in all 65535 ports. By default, Nmap conducts the scan only known 1024 ports. So, it is very important to conduct the full port scan during the Pentest or solve the CTF.

The output of the Nmap shows that only one port has been identified as Open in the full port scan. So, in the next step, we will start the CTF with Port 80.

Step 3

We opened the target machine IP address on the browser to explore the HTTP service port. We found that there is a web application running through the target machine. 

As we can see above, this is just a default Apache page that confirms that the Apache service is running on the target machine and there is an active web application on the target machine. We checked the HTML code of the page and found an interesting comment. 

A directory name is mentioned in the comments section of the HTML source code. So, let us open the directory on the browser and check what is available. 

The directory opened another web page on the target machine; however, there was no further functionality to be explored, just a simple text message. We can conduct a brute force scan to identify hidden files and folders as we know the directory information. We used the Dirb Tool for this purpose. Dirb is a default utility in kali Linux and is the most widely used web application file enumeration tool. The dirb scan command and results can be seen below. 

Command used: << dirb http://192.168.1.13/ >>

In the scan results, we identified very few files. The most interesting file identified by the Dirb scan is the phpinfo file. So, let us open it into the browser.

The phpinfo file contains information related to the compiled PHP environment on the target server. We checked the PHP info file and the HTML source code of the file, but nothing interesting could be identified. 

Let us open another file identified by the Dirb scan on the browser. 

We opened the log file on the browser, which gave us a password and another directory name as a hint. The identified password can be seen below. 

Password: OjppbGlrZXNvY2tz

Let us open the new directory on the browser, as seen in the screenshot that follows. 

In the above screenshot, we can see that the directory opened a blog application. The homepage of the blog application shows some blog posts. The blogs are posted by a user named 'draco', so let us note this information for future reference in solving the CTF.

Username: Draco

The first blog post contains an encoded string consisting of special characters. The encoding method is not difficult to guess as these kinds of limited special characters look familiar to the brainfuk programming language.  

Brainfuk is a minimalistic programming language consisting of only eight commands, a data pointer, and an instruction pointer.

We researched the web for the same and found an online decoder for brainfuck programming language. The online decoder tool for brainfuck can be seen below. 

The decoded value does not give any important information. As we know, the username is 'draco,' and we recall from previous steps a web page had mentioned that 'draco's password is his house.' We googled the house's name for the Harry Potter character Draco; the following screenshot shows the results. 

The name of Draco's house is 'slytherin'. So, in the next step, we will use these credentials to log in to WordPress. 

Step 4

As we already know the username and password, let us log in to the WP-Admin section of the target application with the identified credentials. 

  • Username: draco 
  • Password: slytherin

The credentials worked for the WP-Admin login, and we are now logged in to the admin panel as user draco. We searched the web for vulnerabilities in the current WordPress version and found that we could upload a web shell that could help us gain access to the target machine. 

The web shell is available in the Metasploit framework, so let us start the exploit.  

Command used: 

  • << use exploit/unix/webapp/wp_admin_shell_upload >>
  • << show options >>

We selected the required web shell by running the 'use' command in Metasploit and providing the exploit path. After that, we run the 'show options' command to check the required configurations. We need to provide the target machine's IP address and valid login credentials to run the exploit successfully. 

Command used:

  • << set RHOSTS 192.168.1.13 >>
  • << set USERNAME draco >>
  • << set PASSWORD slytherin >>
  • << set TARGETURI /DiagonAlley >>
  • << show options >>

We used the 'set' command to configure the exploit with the required options. After saving the required configuration, we checked the details by running the' show options' command. The command's output confirms that settings have been saved as per our target machine details. Let us execute the exploit on the target machine; this is done by running the 'exploit' command in Metasploit, which can be seen in the following screenshot. 

Command used:

  • << exploit >>
  • << id >>

The exploit was successfully executed. We used the 'id' command to check the current user and found limited shell access. So, we will try to get root access in the next step. 

Step 5

We tried various enumeration commands to find loopholes in the target machine. While checking for weak binaries, we found a piece of interesting information which can be seen highlighted in the screenshot given below. 

Command used: << find / -perm -4000 -type f 2>/dev/null >>

The binary base32 can be used to read files owned by privileged users. So, let us use it to read the etc/shadow file, which can be seen below. 

Command used: << /usr/bin/base32 /etc/shadow >>

As we can see, the above file is encoded in base32 format. We now decoded the above code using base32 to read the etc/shadow file, as can be seen below:

Command used: << echo CODE | base32 -d >>

We found the hashed password for the user 'dobby' by decoding the 'etc/shadow' file contents. The password for the 'dobby' user was copied into a new file named 'hash' on our attacker machine. We will use a password enumeration tool to decrypt the password hash into the clear-text format. We used the john the ripper password cracking tool for this purpose, a default utility in Kali Linux. The command used and the scan results can be seen in the following screenshot. 

Command used:

  • << john hash --wordlist=/usr/share/wordlists/rockyou.txt >>
  • << cat >> hash >>

The scan tool took a long time to crack the password. However, the wait was worth it as in the end. We got the below clear-text password for the user 'dobby': 

password: ilikesocks

So, let us login into the target machine as user dobby by using the above credentials. 

Command used: 

  • << su dobby >>
  • << less flag1.txt >>

Password: ilikesocks

We used the su command to switch the current user to dobby, and the login was successful. We started exploring files in the user directory, where we found the first flag, 'flag1.txt'. This is the user flag which can be seen in the following screenshot. As we already know from the above steps, a weak SUID binary 'find' can be exploited to gain root access. Let us exploit the binary to escalate user privilege. 

Command used: 

  • << /usr/bin/find . -exec /bin/sh -p \; -quit >>
  • << tail proof.txt >>

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The command was successfully executed. We checked the current user by running the id command and found that the user had been successfully changed to root. After that finding, the root flag was the last step required to complete the challenge. The root flag was found in the root user directory and was named 'proof.txt.' 

This completes the challenge; we have read both the flags and gained the target machine's root access. 

 

Sources:

LetsPen Test
LetsPen Test