Minotaur CTF – Walk Through

This is a writeup of the Minotaur CTF boot2root CTF VM which can be found on VulnHub.

This is my first CTF writeup, having previously done a couple of CTF challenges with varying levels of success. In each of the previous challenges I’ve done, I have had to look at other walkthroughs to get an idea of the next steps required. Pleasantly however in a couple¬†of cases, the next step was what I’d assumed it would be – but thought to myself “Naa. That doesn’t seem right.”, only to find that in the walkthrough, that’s what they did.

For this CTF Walk Through, I’m going to give it my best go, without looking at other walk throughs. That is until I crack the shits and go looking for hints ūüôā

Disclaimer: All techniques discussed and demonstrated are ONLY used in my home VM lab. Never use these techniques against servers you do not have explicit permission to use these tools against – depending on where you are – actions such as that are probably ILLEGAL.

Anyway – onto the CTF!

The following CTF’ing occurred over the course of a few days (and lots of beer); and ultimately resulted in failure (not entirely related to the beer!). I’ve documented it here as a record of my own learnings, but you may get something from it, anyway.¬†

Setup

Virtual Box VM

Initially I encountered an error regarding a missing network interface in VirtualBox, which was easily (and automatically) resolved by entering the settings menu for the VM. I left it on Host Only, which assigned an address in the required 192.168.56.0/24 range as suggested by Robert.

Initially I was skeptical about leaving it on this range as usually I put my VMs in a specific 10.0.2.0/24 ‘pen-test’ private network; but thankfully my Kali VM also has a second Host Only network adapter, which allowed it to reach the Minotaur CTF VM.

Discovery.

Where’s that box!

Firstly, fire up nmap, and scan that network.

nmap_host_discovery

The server was discovered running on 192.168.56.223, and as you can see there are three services running – SSH, HTTP and another I’ve never seen before on port 2020; showing as ‘xinupageserver’. I’ve never seen that service before, but¬†it could be a common service which has been configured to run on this port – security by obscurity and all that. I’m not sure, so, let’s find out, shall we?

Services.

FTPD

Now we’re talking.

nmap_version_scan

So, as suspected, it’s a common service running on an unusual port. That’s a red-flag, straight up, but also could be a red herring! We’ll proceed, with caution.

If it is FTP though, “Anonymous access, what about anonymous access!” I hear you screaming!

ftpd_anon_access_allowed

Yep, anon access permitted. Let’s poke around.

ftpd_dirlist

Seems to be empty. So… Could it be writable? Doubtful, but changing things from the default is a thing…

ftpd_upload

D’oh.

HTTPD

Also in the services list is Apache HTTPD. Good stuff. Let’s see what’s there…

httpd_default_page

Ok. Default HTTPD page. And here I was hoping for a nice, vulnerable PHP application. D’oh! However, some more clues. Ubuntu (which we actually did see in the service versions, too…)

Nmap fun to come, we’ll kick some scripts off and see what we can find.

SSHD

SSHD hasn’t been without it’s problems, but from what I know of it is generally very well regarded as secure – so we won’t pay it much attention other than a cursory search for vulnerabilities.

Remote Code Execution

SSHD

What’s available for SSHD?

sshd_exploits

Only one… xauth injection. Hrm. I wasn’t even sure what Xauth was. I downloaded the exploit and had a read. Requires a local shell, but does allow privesc from a shell. We might be able to use that, once we HAVE a shell.

FTPD

I always remember endless RCE’s and other vulnerabilities in FTPD’s when I was new to the industry. So, let’s see what we can find here first.

ftpd_searchsploit

Ugh. That wasn’t as easy as I’d hoped. Let’s expand the search a little.

ftpd_searchsploit_more

Ok. We don’t have a specific version provided by Nmap (only 2.0.8 or later), and there is only one RCE listed there, but it’s for 2.3.4 only. Not too much to go on.¬†And… Anon access is there, but empty, and not writable.

HTTPD

Now, lets find an exploit for Apache 2.4.7.

httpd_exploits

Slim. Fucking. Pickings.

So, where to now?

Breaking out the hammer!

The hints provided are:

This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

I think we’ve found at least one of those red herrings. So, let’s try and bruteforce SSH!

Hydra -u option works well! Note the difference in tries/min between the top, 160/min and the bottom with -u 534/min…

hydra_brute_force_-u_option

Just going to let that go overnight…

And, the next morning, 289329 tries later – zero found accounts! I’ll let that run, but I haven’t enumerated the contents of the HTTP server as yet. Let’s crack out ‘dirb’ and see what it can find.

httpd_dirb_found_wp

We have WordPress! WPScan time.

httpd_wp_scan

17, yes 17 vulns found for WP 4.2.2! At least ONE of those should allow some kind of action!

Of note, I can see one SQL Injection attack, and one Arbitrary file upload vuln in the Slideshow plugin.

httpd_wp_sqli

httpd_wp_plugin-arbitrary_file_upload

So, they’ll be our starting points.

Attacking WordPress

The WordPress application says:

If you want to see more, become a full member.

httpd_become_a_member

So I’ll take that as a hint.

Man… All these built bovine, are making me hungry to smoke another brisket!

Anyway. Smoked meat dreams can wait. I’m brute forcing the WP login page. I ran WPscan and enumerated the users:

httpd_wp_users

So, now trying to brute force the WP login page. Suspecting I won’t have any success however, due to the above mentioned issues with the password… I suspect I need to work on my OSINT skills.

httpd_wp_hydra_brute

Aaaand I realised this was the point my existing knowledge and skill ran out.

FAILED. Looked at a walkthrough

So, based on the walkthrough:

httpd_wp_failed_cewl_john

which… failed. Turns out I’m doing something wrong with Hydra for bruteforcing, so now I’m spending this time to learn how to operate Hydra correctly. I’ve posted a little on an infosec forum, so hopefully get some help there.

Using wpscan, the password was discovered very quickly:

httpd_wp_wpscan_bruteforce

From this point forward I avoided the walkthrough as best I could Рso I will be doing my best to continue on my own.

Now that I have determined this password is correct, I will login and try to exploit the arbitrary file upload vulnerability previously mentioned.

Firstly, I created a shell.php, which simply contains URLencoded Python, which initiates the reverse shell back to to the IP address. There was no specific need for this to be URL encoded, it was just what I had handy, and I can make it work easily:

wp_reverse_shell

Note also nc is running and waiting for a connection on 1234.

wp_reverse_shell_done

BAM! Shell achieved!

Enumerate the WP Database details.

wp_database_details

OS details

shell_ubuntu_release

I found a shadow.bak file in /tmp, which I was able to cat and pull locally to use john the ripper on. A couple of passwords relieved, and a sudo -s later…

final_flags

Done.

Conclusion

Didn’t manage to complete the challenge without looking at the walkthroughs, so I’ll have to keep practicing!

I learned that, obviously, there is more than one tool for most jobs, Kali often has all of them, but sometimes you don’t need the tool with the most bells and whistles (i.e. Hydra) when all you need is to brute force WordPress (i.e. WPScan).

Some good learnings here. I need to work on enumeration and discovering things on an existing system. I have some notes in a private Gist that I’m keeping to help here.

I found once I’d looked at the walkthrough, I basically stopped enumerating contents of the server, so that’s not a good thing. I’ll need to TRY HARDER for the next ones if I’m ever going to do PWK/OSCP!

One thought on “Minotaur CTF – Walk Through”

Comments are closed.