Minotaur CTF – Walk Through

This is a writeup of the Minotaur CTF boot2root CTF VM which can be found on VulnHub.

This is my first CTF writeup, having previously done a couple of CTF challenges with varying levels of success. In each of the previous challenges I’ve done, I have had to look at other walkthroughs to get an idea of the next steps required. Pleasantly however in a couple¬†of cases, the next step was what I’d assumed it would be – but thought to myself “Naa. That doesn’t seem right.”, only to find that in the walkthrough, that’s what they did.

For this CTF Walk Through, I’m going to give it my best go, without looking at other walk throughs. That is until I crack the shits and go looking for hints ūüôā

Disclaimer: All techniques discussed and demonstrated are ONLY used in my home VM lab. Never use these techniques against servers you do not have explicit permission to use these tools against – depending on where you are – actions such as that are probably ILLEGAL.

Anyway – onto the CTF!

The following CTF’ing occurred over the course of a few days (and lots of beer); and ultimately resulted in failure (not entirely related to the beer!). I’ve documented it here as a record of my own learnings, but you may get something from it, anyway.¬†


Virtual Box VM

Initially I encountered an error regarding a missing network interface in VirtualBox, which was easily (and automatically) resolved by entering the settings menu for the VM. I left it on Host Only, which assigned an address in the required range as suggested by Robert.

Initially I was skeptical about leaving it on this range as usually I put my VMs in a specific ‘pen-test’ private network; but thankfully my Kali VM also has a second Host Only network adapter, which allowed it to reach the Minotaur CTF VM.


Where’s that box!

Firstly, fire up nmap, and scan that network.


The server was discovered running on, and as you can see there are three services running – SSH, HTTP and another I’ve never seen before on port 2020; showing as ‘xinupageserver’. I’ve never seen that service before, but¬†it could be a common service which has been configured to run on this port – security by obscurity and all that. I’m not sure, so, let’s find out, shall we?



Now we’re talking.


So, as suspected, it’s a common service running on an unusual port. That’s a red-flag, straight up, but also could be a red herring! We’ll proceed, with caution.

If it is FTP though, “Anonymous access, what about anonymous access!” I hear you screaming!


Yep, anon access permitted. Let’s poke around.


Seems to be empty. So… Could it be writable? Doubtful, but changing things from the default is a thing…




Also in the services list is Apache HTTPD. Good stuff. Let’s see what’s there…


Ok. Default HTTPD page. And here I was hoping for a nice, vulnerable PHP application. D’oh! However, some more clues. Ubuntu (which we actually did see in the service versions, too…)

Nmap fun to come, we’ll kick some scripts off and see what we can find.


SSHD hasn’t been without it’s problems, but from what I know of it is generally very well regarded as secure – so we won’t pay it much attention other than a cursory search for vulnerabilities.

Remote Code Execution


What’s available for SSHD?


Only one… xauth injection. Hrm. I wasn’t even sure what Xauth was. I downloaded the exploit and had a read. Requires a local shell, but does allow privesc from a shell. We might be able to use that, once we HAVE a shell.


I always remember endless RCE’s and other vulnerabilities in FTPD’s when I was new to the industry. So, let’s see what we can find here first.


Ugh. That wasn’t as easy as I’d hoped. Let’s expand the search a little.


Ok. We don’t have a specific version provided by Nmap (only 2.0.8 or later), and there is only one RCE listed there, but it’s for 2.3.4 only. Not too much to go on.¬†And… Anon access is there, but empty, and not writable.


Now, lets find an exploit for Apache 2.4.7.


Slim. Fucking. Pickings.

So, where to now?

Breaking out the hammer!

The hints provided are:

This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

I think we’ve found at least one of those red herrings. So, let’s try and bruteforce SSH!

Hydra -u option works well! Note the difference in tries/min between the top, 160/min and the bottom with -u 534/min…


Just going to let that go overnight…

And, the next morning, 289329 tries later – zero found accounts! I’ll let that run, but I haven’t enumerated the contents of the HTTP server as yet. Let’s crack out ‘dirb’ and see what it can find.


We have WordPress! WPScan time.


17, yes 17 vulns found for WP 4.2.2! At least ONE of those should allow some kind of action!

Of note, I can see one SQL Injection attack, and one Arbitrary file upload vuln in the Slideshow plugin.



So, they’ll be our starting points.

Attacking WordPress

The WordPress application says:

If you want to see more, become a full member.


So I’ll take that as a hint.

Man… All these built bovine, are making me hungry to smoke another brisket!

Anyway. Smoked meat dreams can wait. I’m brute forcing the WP login page. I ran WPscan and enumerated the users:


So, now trying to brute force the WP login page. Suspecting I won’t have any success however, due to the above mentioned issues with the password… I suspect I need to work on my OSINT skills.


Aaaand I realised this was the point my existing knowledge and skill ran out.

FAILED. Looked at a walkthrough

So, based on the walkthrough:


which… failed. Turns out I’m doing something wrong with Hydra for bruteforcing, so now I’m spending this time to learn how to operate Hydra correctly. I’ve posted a little on an infosec forum, so hopefully get some help there.

Using wpscan, the password was discovered very quickly:


From this point forward I avoided the walkthrough as best I could Рso I will be doing my best to continue on my own.

Now that I have determined this password is correct, I will login and try to exploit the arbitrary file upload vulnerability previously mentioned.

Firstly, I created a shell.php, which simply contains URLencoded Python, which initiates the reverse shell back to to the IP address. There was no specific need for this to be URL encoded, it was just what I had handy, and I can make it work easily:


Note also nc is running and waiting for a connection on 1234.


BAM! Shell achieved!

Enumerate the WP Database details.


OS details


I found a shadow.bak file in /tmp, which I was able to cat and pull locally to use john the ripper on. A couple of passwords relieved, and a sudo -s later…




Didn’t manage to complete the challenge without looking at the walkthroughs, so I’ll have to keep practicing!

I learned that, obviously, there is more than one tool for most jobs, Kali often has all of them, but sometimes you don’t need the tool with the most bells and whistles (i.e. Hydra) when all you need is to brute force WordPress (i.e. WPScan).

Some good learnings here. I need to work on enumeration and discovering things on an existing system. I have some notes in a private Gist that I’m keeping to help here.

I found once I’d looked at the walkthrough, I basically stopped enumerating contents of the server, so that’s not a good thing. I’ll need to TRY HARDER for the next ones if I’m ever going to do PWK/OSCP!

One thought on “Minotaur CTF – Walk Through”

Comments are closed.