narancs's blog

TryHackMe – Boiler CTF walkthrough

Introduction

Logo of Boiler CTF room

This is a walkthrough of the Boiler CTF room on TryHackMe. It requires thorough enumeration, exploitation, and privilege escalation.

Enumeration

nmap scan results:

We can see that 4 ports are open: 21, 80, 10000 and 55007. Also we can notice the following things:

  • FTP login is allowed
  • there is a robots.txt file on the web server that might be interesting to check
  • MiniServ 1.93 web server is running on port 10000 serving webmin that is web-based system administration tool for Unix-like servers
  • SSH is running on port 55007

Using these informations we can answer Question 2 – What is on the highest port? and Question 3 – What’s running on port 10000?.

For Question 4 – Can you exploit the service running on that port? I was looking for exploits for MiniServ, specifically for version 1.93. I only found exploits for lower versions, for example:

So the answer is ‘nay’.

FTP

Let’s connect to FTP as anonymous user and look around.

There is one hidden file on the FTP server. The extension of this file is the answer for Question 1 – File extension after anon login.

We can download the file using the get command to check its contents. It contains:

				
					Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
				
			

After ROT13 cipher:

				
					Just wanted to see if you find it. Lol. Remember: Enumeration is the key!
				
			

So this is not important. Just keep enumerating!

HTTP

Let’s move on to enumerating the web server.

robots.txt
First I checked robots.txt at http://<VM IP address>/robots.txt. These are the contents the robots.txt file:
				
					User-agent: *
Disallow: /
/tmp
/.ssh
/yellow
/not
/a+rabbit
/hole
/or
/is
/it
079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

				
			

We find some paths that might contain something useful, but all of them are useless. We also find a series of numbers that looks like an encoded message.

I used https://cyberchef.org/ to decode the message with ‘From Decimal’ and ‘From Base64’ operations. I got the following result:

				
					99b0660cd95adea327c54182baa51584
				
			

This looks like a hash, and we can use a hash identifier tool like https://hashes.com/en/tools/hash_identifier to find out what kind of hash it is. It is an MD5 hash. Since it is a weak hashing algorithm, we can very likely use an online decrypter tool to crack it or use hashcat tool with a dictionary attack.

				
					hashcat -a 0 -m 0 99b0660cd95adea327c54182baa51584 /usr/share/wordlists/rockyou.txt
				
			

The decrypted value is kidding, that is not useful. Just another rabbit hole.

gobuster

We can further enumerate the web server with gobuster tool to look for interesting files and directories.

				
					gobuster dir --url http://10.10.40.201/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,php,html
				
			

In the results of the scan we will find a path to a CMS. That will be the answer for Question 5 – What’s CMS can you access?.

Then I continued scanning with gobuster checking the subdirectories of the CMS as well. Then further enumerating those directories, etc. There are a lot of files we can find, but most of them is not useful.

Finally, I was able to find the directory that leads to the solution using a different wordlist: /usr/share/wordlists/dirb/common.txt. Using this wordlist I found _test directory. If we open it in the browser it will lead to a sar2html web app.

Exploitation

RCE

I found Remote Code Execution vulnerability for sar2html on exploit DB: https://www.exploit-db.com/exploits/49344

From the script we can find out that we can append a URL parameter to the page to execute commands like this:

				
					/index.php?plot=;{cmd}
				
			

I used the ls command, and the list of files showed up on the page in the ‘Select Host’ dropdown menu.

Now we have the answer for Question 7 – The interesting file name in the folder?.

If we open that file we found in _test we will find SSH logs showing a successful login of basterd user including the password!

				
					Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.
				
			

We can use it to SSH to the host (remember that ssh is running on port 55007)

				
					ssh basterd@10.10.254.144 -p 55007
				
			

In the home directory we can find a file that contains the username and password for another user.

The name of this file is the answer for Question 8 – Where was the other users pass stored(no extension, just the name)?.

Privilege Escalation

Now we have another user’s credentials. Let’s switch to stoner using su command.

				
					su - stoner
				
			

There are 2 files in stoner’s home directory: .nano and .secret. The content of the .secret file will be the answer for Question 9 – user.txt.

We still need to get root access. Let’s check the sudo privileges of stoner.

				
					stoner@Vulnerable:~$ sudo -l
User stoner may run the following commands on Vulnerable:
    (root) NOPASSWD: /NotThisTime/MessinWithYa
stoner@Vulnerable:~$
				
			

Okay, this is another rabbit hole. Let’s check for SUID executables.

				
					find / -perm -u=s -type f 2> /dev/null
				
			

The find command has SUID permission and we can exploit it: https://gtfobins.github.io/gtfobins/find/#suid

This will be the answer for Question 10 – What did you exploit to get the privileged user?.

Now we can get answer for Question 11 – root.txt

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x