Tryhackme Hogwarts Walkthrough (King Of The Hill)

This is tryhackme hogwarts walkthrough from king of the hill game. Hogwarts machine is a very ctf related machine. In this writeups you will learn step by step methods to get into server and escalate your priviledge to root.

Our Latest Posts

What you’ll learn in this machine?

  1. How to login anonymously in FTP server and how to find hidden files and folders.
  2. How to login FTP and SSH via different port number.
  3. How to brute force password protected zip file (To retrive password from password protected zip file).
  4. How to become root (Privilege Escalation Technique).

Rustscan and Nmap Scan

We all know that TryHackMe gives us 1 hour time to play King Of The Hill machines. So If we scan all ports using nmap, It will take 1-2 hours to complete the task. So I used a tool called rustscan to reduce the time. Rustscan is a very fast port scanning tool. You can scan all ports within 2-5 miniutes. (If you don’t have rustscan in your linux system then download the tool and install it. This tool is not installed by default on any linux distribution). You can visit our “How to install rustscan tool” page for installation guide.

Rustscan command:  sudo rustscan -a 10.10.91.16

Command Explanation:  -a for IP address or url

rustscan open ports

Note:- You can’t use rustscan for version detection.

So, after discovering all open ports using rustscan, we need to run nmap scan for version detection with those open ports.

Nmap command:  sudo nmap -sV -A 10.10.91.16 -p 22, 8335, 9601, 9999, 10411, 48882

Command Explanation: 

  1. -sV for version detection,
  2. -A for os detection,
  3. -p for specific ports.
nmap scan result
nmap scan result

After detecting the version of the open ports, we saw some wierd things right? We know SSH run on port 22 by default but here http running on port 22. And SSH is running on port 8335. Another weird thing is FTP server running on port 9601 instead of 21. There are 3 more ports open, but you can ignore them.

I’m pretty sure you are smart enough to identify what’s wrong is going on here. Yeah, you got it. Look at FTP port in our nmap scan, the FTP server is allows anonymous login.

ftp server connection

So what are you waiting for? Go ahead and login anonymously.

FTP Login

Note:  You can’t login by this command (ftp 10.10.91.16). Because the FTP server is not running on default port.

To login on FTP server you need to specify the port with (-p 9601)

Command:-  ftp 10.10.91.16 -p 9601

Then type the name anonymous and hit enter. (Boom) You are logged in.

ftp server connection

Wait I use hogwarts.thm instead of 10.10.91.16. That’s because, I put the ip address on my /etc/hosts file and named it hogwarts.thm.

Now type ls -la to see all files from the current directory. We see a file named .IamHidden. Download the file using get command.

command:-  get .IamHidden

This will download the file from target FTP server to our local machine. After downloading the file we see a directory called three dots “…”. See the picture down below:-

ftp three dot folder

We know that, 1 dots represents current directory. And 2 dots represents parent directory. So it is clear that three dot “…” is a directory. Navigating the directory we found an another three dots “…” directory and a GoAway.exe. Ignore GoAway.exe, it’s a fake executable file. Again navigating to three dots “…” directory we got 2 interesting files called .I_saved_it_harry.zip and note4neville. So downloaded files using get command.

ftp file download

After downloading all files from FTP server, we read .IamHidden and note4neville using cat command but the files were useless.

file read

Zip file Brute forcing

So now it’s time to extract the zip file called .I_saved_it_harry.zip. But it seems the zip file is password protected and we don’t know the password. Here comes the intesresting part. We need to brute force the zip file in order to get the password. To brute force the zip file we will use a tool called fcrackzip. fcrackzip is a free open source tool and not installed by default in any linux distribution. So you need to install the tool by yourself. (You can visit our “How to install fcrackzip tool” page for installation guild Or check our “How to use fcrackzip”).

fcrackzip command for brute forcing is:-  fcrackzip -D -v -u -p /usr/share/wordlists/rockyou.txt .I_saved_it_harry.zip

Command Explanation:- 

  1. -D for Directory
  2. -v for verbos
  3. -u for use unzip
  4. -p for password file

Bang We got the password for our zip file.

fcrackzip zip file brute force

Now with the password “madelyn” we’ll be able to extract our zip file. Let’s extract our zip file using unzip .I_saved_it_harry.zip and give the password we just discovered “madelyn”. So we can see the zip file is now extracted and it created a directory called boot. Under the boot directory we got a file that contains our username and password for SSH login.

read  password

SSH Login

So we got the username and password for SSH login. Let’s login with SSH. Note:- The default commad for SSH login ( ssh [email protected] ) won’t work. Because the SSH opened on port 8335 instead of default port 22.

So the command will be:-  sudo ssh [email protected] -p 8335

After hitting enter you will be prompt to this line:-  Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type “yes” and hit enter. Then you will be prompt for password, give the password which you’ve got from .pass file then hit enter and Boom you are on the system as a normal privilege user called neville.

connect ssh with different port

Privilege Escalation

Now we are a normal user. We need to escalate our privilege to root. For escalating our privilege level we can use a command like:-  find / -type f -perm -4000 2>/dev/null

Command Explanation:-

  1. find (To find specific file or folder)
  2. / (Search from root directory)
  3. -type (Which type of object you want to specify)
  4. f (For file)
  5. -perm (For permission)
  6. -4000 (For setuid bit file)
  7. 2>/dev/null (If any errors occurs, redirect the errors to /dev/null folder)

Basically I use this command to find setuid files in this machine.

We got some setuid files. But the insteresting file which will help us to escalate our privilege is /bin/ip file.

priviledge escanatoin via ip

The simple 2 lines of command will help us to become root:- 

  1. ip netns add foo
  2. ip netns exec foo /bin/sh -p
priviledge escanatoin via ip command

Note:-  The ip address is different this time because someone reset the machine.

Wait hold on, how do I know this command will work? Well, there is a website called gtfobins. This website is really helpful for privilege escalation. Go to this website and search for ip, you will find the privilege escalation technique for ip (/bin/ip).

Thanks for being with us.

Our Latest Posts

Click this link for all tryhackme’s king of the hill machines writeups.

You will find all king of the hill machines walkthrough in our website. Not only “king of the hill” walkthroughs but also other walkthroughs like tryhackme’s walkthroughs, hackthebox walkthroughs, hackerone’s walkthroughs and CTF challenges walkthroughs.

Stay tuned,

Leave a Comment

Tryhackme Hogwarts Walkthrough

Tryhackme Hogwarts Walkthrough (King Of The Hill)

This is a step by step and easiest writeups for Hogwarts machine from TryHackMe’s (King Of The Hill). This machine is very CTF related machine.

What you’ll learn in this machine?

  1. How to login anonymously in FTP server and how to find hidden files and folders.
  2. How to login FTP and SSH via different port number.
  3. How to brute force password protected zip file (To retrive password from password protected zip file).
  4. How to become root (Privilege Escalation Technique).

Rustscan and Nmap Scan

We all know that TryHackMe gives us 1 hour time to play King Of The Hill machines. So If we scan all ports using nmap, It will take 1-2 hours to complete the task. So I used a tool called rustscan to reduce the time. Rustscan is a very fast port scanning tool. You can scan all ports within 2-5 miniutes. (If you don’t have rustscan in your linux system then download the tool and install it. This tool is not installed by default on any linux distribution). You can visit our “How to install rustscan tool” page for installation guide.

Rustscan command:  sudo rustscan -a 10.10.91.16

Command Explanation:  -a for IP address or url

Note:- You can’t use rustscan for version detection.

So, after discovering all open ports using rustscan, we need to run nmap scan for version detection with those open ports.

Nmap command:  sudo nmap -sV -A 10.10.91.16 -p 22, 8335, 9601, 9999, 10411, 48882

Command Explanation:

  1. -sV for version detection,
  2. -A for os detection,
  3. -p for specific ports.


After detecting the version of the open ports, we saw some wierd things right? We know SSH run on port 22 by default but here http running on port 22. And SSH is running on port 8335. Another weird thing is FTP server running on port 9601 instead of 21. There are 3 more ports open, but you can ignore them.

I’m pretty sure you are smart enough to identify what’s wrong is going on here. Yeah, you got it. Look at FTP port in our nmap scan, the FTP server is allows anonymous login.

So what are you waiting for? Go ahead and login anonymously.

FTP Login

Note:  You can’t login by this command (ftp 10.10.91.16). Because the FTP server is not running on default port.

To login on FTP server you need to specify the port with (-p 9601)

Command:-  ftp 10.10.91.16 -p 9601

Then type the name anonymous and hit enter. (Boom) You are logged in.

Wait I use hogwarts.thm instead of 10.10.91.16. That’s because, I put the ip address on my /etc/hosts file and named it hogwarts.thm.

Now type ls -la to see all files from the current directory. We see a file named .IamHidden. Download the file using get command.

command:-  get .IamHidden

This will download the file from target FTP server to our local machine. After downloading the file we see a directory called three dots “…”. See the picture down below:-

We know that, 1 dots represents current directory. And 2 dots represents parent directory. So it is clear that three dot “…” is a directory. Navigating the directory we found an another three dots “…” directory and a GoAway.exe. Ignore GoAway.exe, it’s a fake executable file. Again navigating to three dots “…” directory we got 2 interesting files called .I_saved_it_harry.zip and note4neville. So downloaded files using get command.

After downloading all files from FTP server, we read .IamHidden and note4neville using cat command but the files were useless.

Zip file Brute forcing

So now it’s time to extract the zip file called .I_saved_it_harry.zip. But it seems the zip file is password protected and we don’t know the password. Here comes the intesresting part. We need to brute force the zip file in order to get the password. To brute force the zip file we will use a tool called fcrackzip. fcrackzip is a free open source tool and not installed by default in any linux distribution. So you need to install the tool by yourself. (You can visit our “How to install fcrackzip tool” page for installation guild).

fcrackzip command for brute forcing is:-  fcrackzip -D -v -u -p /usr/share/wordlists/rockyou.txt .I_saved_it_harry.zip

Command Explanation:-

  1. -D for Directory
  2. -v for verbos
  3. -u for use unzip
  4. -p for password file

Bang We got the password for our zip file.

Now with the password “madelyn” we’ll be able to extract our zip file. Let’s extract our zip file using unzip .I_saved_it_harry.zip and give the password we just discovered “madelyn”. So we can see the zip file is now extracted and it created a directory called boot. Under the boot directory we got a file that contains our username and password for SSH login.

SSH Login

So we got the username and password for SSH login. Let’s login with SSH. Note:- The default commad for SSH login ( ssh [email protected] ) won’t work. Because the SSH opened on port 8335 instead of default port 22.

So the command will be:-  sudo ssh [email protected] -p 8335

After hitting enter you will be prompt to this line:-  Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type “yes” and hit enter. Then you will be prompt for password, give the password which you’ve got from .pass file then hit enter and Boom you are on the system as a normal privilege user called neville.

Privilege Escalation

Now we are a normal user. We need to escalate our privilege to root. For escalating our privilege level we can use a command like:-  find / -type f -perm -4000 2>/dev/null

Command Explanation:-

  1. find (To find specific file or folder)
  2. / (Search from root directory)
  3. -type (Which type of object you want to specify)
  4. f (For file)
  5. -perm (For permission)
  6. -4000 (For setuid bit file)
  7. 2>/dev/null (If any errors occurs, redirect the errors to /dev/null folder)

Basically I use this command to find setuid files in this machine.

We got some setuid files. But the insteresting file which will help us to escalate our privilege is /bin/ip file.

The simple 2 lines of command will help us to become root:-

  1. ip netns add foo
  2. ip netns exec foo /bin/sh -p

Note:-  The ip address is different this time because someone reset the machine.

Wait hold on, how do I know this command will work? Well, there is a website called gtfobins. This website is really helpful for privilege escalation. Go to this website and search for ip, you will find the privilege escalation technique for ip (/bin/ip).

Thanks for being with us.

You will find all king of the hill machines walkthrough in our website. Not only “king of the hill” walkthroughs but also other walkthroughs like tryhackme’s walkthroughs, hackthebox walkthroughs, hackerone’s walkthroughs and CTF challenges walkthroughs.

Stay tuned,

This walkthrough posted by:- Abir

Click this link for all tryhackme’s king of the hill machines writeups.