Boiler CTF Walkthrough

Try Hack Me

In this blog, we will cover a walkthrough of the Boiler CTF from Try Hack Me. This challenge is of medium difficulty level. The main objective of this blog is to uncover the methodology when we are competing or doing CTF challenges, so let’s begin.

Scanning and Enumeration

Firstly, let’s scan the target using nmap to see what services it is running. The -sS flag performs a TCP SYN scan, the -Pn flag skips host discovery, and the --min-rate flag is set to 4500 to boost the scan process by sending 4500 packets per second.

$ nmap -sS -p- -n -Pn — min-rate=4500 <target_ip> -sV

There are few ports open. Now, let’s thoroughly go through different ports and services to move forward in the challenge.

vsFTPd 3.0.3 (Port 21)

We see the FTP service being hosted on its default port. As a first step, let’s test if the default credentials are set on the service. Let’s try an anonymous login on this FTP service to see if it’s allowed. The username is ‘anonymous’ and it requires no password. As expected, we were able to login.

Now, using the ls -la command, we can see a hidden file named info.txt. Let’s read it using the less command on the FTP CLI. We obtained some encrypted text. Let’s take it over to dcode.fr/cipher-identifier and decrypt the text. The engine identified it as ROT13 Cipher. Let's decrypt it.

The text suggests that we focus on enumeration to tackle the challenge. Now, let’s move on to another open port.

MiniServ 1.930 (Port 10000)

Now, on port 10000, we encounter a WebMin login portal.

Let’s perform simple web recon to check for vulnerabilities. WebMin has had a few vulnerabilities such as Authenticated RCE. However, this version 1.930 in the challenge had no disclosed vulnerabilities. So, let’s proceed further. Now, let’s identify the technologies being used on the WebMin portal using Wappalyzer, a web extension for analyzing web technologies

We could see that a Joomla CMS is being used. Let’s navigate to the /joomla path where the main page is hosted.

There’s nothing interesting on the homepage itself. So, let’s research any discovered vulnerabilities in this CMS. But first, let’s fuzz the directory to narrow down our attack surface. I will be using gobuster and a simple wordlist to fuzz for directories.

$ gobuster dir -u <taget_ip>/joomla/ -w /usr/share/wordlists/dirb/common.txt

We can see many pages are listed. While navigating the discovered pages, we can find a service called sar2HTML, which is a plotting tool for system statistics running on the _test page.

Let’s understand more about this service on the web now. In the web we could find that, it is vulnerable to Command Injection, allowing us to execute commands directly on the system. The steps to reproduce were made public and were found on exploit-db. Now, let’s exploit the service. The exploitation step is very simple and easy. When interacting with buttons, a parameter is being passed as plot={xxxxx} in the URL, which is our injection point. Let’s execute a Linux command and read the data from any available file.

URL: http://<target_ip>/joomla/_test/index.php?plot=;ls

Now, executing ls gave an interesting file named log.txt . Let’s read the log file.

URL: http://<target_ip>/joomla/_test/index.php?plot=;cat log.txt

Here, we discovered an exposed SSH username and password: basterd:superduperp@$$. Now, let’s try to infiltrate the system by logging in through SSH on port 55007.

openSSH (Port 55007)

We’ve successfully logged in. Now, let’s see any available on the system. There is a backup.sh file. Let’s read that file.

Here, on reading this file, we found another user’s (stoner) username and password hardcoded. So, let’s switch users to the respective user we found.

After logging in to the ‘stoner’ user, we found a secret text file with a message indicating that this was not the end. So, let’s dig deeper and try to escalate privileges to access the root account.

Linux Privilege Escalation

Let’s see the files that the current user can run with sudo or root privileges using the sudo -l command; there were none. Now, let’s check for files whose SUID bits are set. These files belong to the owner but temporarily grant execution privileges to the current user.

$ find / -perm /4000 -type f

Here, the permission 4000 defines the SetUID permission.

We can see that the find command itself can be run with root privileges. Now, finally, let’s execute a command leveraging the find command to gain access to the /root directory.

$ find . -exec chmod 007 /root \ ;

Here, we can use the -exec flag of the find command to give access to the /root directory with permission 007 with the others member to full privilege and \ denotes the end of exec command or the flag. Let’s enter the command.

Finally, we can now view the /root directory and retrieve our final root flag, and the box is solved.