Sponsored by: Learn how to reverse engineer video games at the Guided Hacking Forum
Hello everyone I am Hac . And today we gonna do Minotaur’s Labyrinth from tryhackme . This is my first writeup here so feedback are highly appreciated.
Nmap scan :-
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 nobody nogroup 4096 Jun 15 14:57 pub
80/tcp open http Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11
443/tcp open http Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/8.0.7 mod_perl/2.0.11
3306/tcp open mysql?
Ok so there is Anonymous FTP login allowed on port 21 and there is webserver running on port 80 and mysql on 3306 .
We will first check ftp .There is one dir pub which has one file and a dir .secret we will download and further analyze those file
we got our first flag yay!!!!!!
When we visit port 80 it asks for username and password but we Don’t have any username and password .So I tried admin/admin admin/password but no luck . There are two ways to get creds one is to check the page source code then visit js/login.js
There we can see the username and to get the password we need to take help form Mrpython or any favourite programming language
We got the creds but there is one more way to get that creds . When we visit /logs dir we can get creds .So you may be wondering how I know about /logs simple use ffuf .
Cool we are successfully logged in. We can see one search bar and some option but what to do now we need to see all the features on that site and see what results we can see .After some time I got sqli In search-bar
we can see the username and password seems like they are hashed (md5) .after cracking that passwd we can get admin access on that site .After poking around I came across echo.php . Tried for command injection .
But when I tried ;ls seems like its filtering some stuff .I was able to bypass it with |ls
Time to get the shell ,after a long time finally got the shell need to encode your payload in base64
| echo “your payload here” | base64 -d | bash
Now its time for priv esc lets go .I can see one /timer dir and its running a script timer.sh
so I added my payload and boom I got root