TryHackMe - Boiler
This was an intermediate level CTF challenge where I worked more than it was necessary because there were several “misleading” things, but I liked this, I really felt that there was an effort. Anyway, let’s get to work. There were 2 sets of questions.
[Task 1] Questions #1
As always, the first thing I do is to perform a scan with nmap on the IP address I get for that machine. This time I scanned all the ports, not only the most common ones, this was needed for some answers from the first set of questions. Below you have the results of the scan.
1. File extension after anon login
As you can see, on port 21 we have a FTP service running, which allows anonymous login. After logging in on this server, I listed all the files, including the hidden ones, because the one I needed was of this kind.
2. What is on the highest port?
This can be found easily on the above report from NMAP, check port 55007.
3. What’s running on port 10000?
This also can be found in the same report, just have a look at the version info for the service from that port.
4. Can you exploit the service running on that port? (yay/nay answer)
I looked on Google for available exploits for that version of the service but I didn’t find anything. There were some, but not for that version.
5. What CMS can you access?
When I checked the web page for the IP I got, it was just the default home page of Apache. Nothing interesting so far, there wasn’t anything useful in the source code. I decided to perform a scan with gobuster, to see what I can find. Using the common.txt wordlist, I found the answer in the results obtained from there, it is a common CMS.
6. Keep enumerating, you’ll know when you find it.
After accessing the page of the CMS, I didn’t find anything relevant there. I initially got a list of numbers available on robots.txt file from the home page and I believed that they could actually be some letters since the range of the numbers was quite the same as for the uppercase and lowercase letters values in ASCII. After decoding this, I got a string that seemed to be the base64 encoded value for another string. I didn’t have too many hopes but I tried to decode it. Surprisingly, it did pop up something. At a first glance, I thought it was a hex encoded value, but I was wrong. When I tried to decode that, it gave me rubbish stuff so I concluded that this was not an option. However, when I checked the length of the string, I saw it was 32 characters long so I realized that it was a hash. Again, I tried to decrypt it using rockyou.txt list and it actually led me to something. I thought it was a password to use later, I even tried to use that to connect as admin on the CMS login form on the home page, but it didn’t work. Anyway, the value of the string made me realize that it was one of the misleading things I mentioned at the beginning.
I decided to follow the hint from the question and I started to dig for subpages, it was telling me that I will know when I will find it. So I used gobuster again and found a lot of pages.
I checked many of the pages I got there and some of them looked as there might be a hint. Unfortunately, I just got trapped in a journey of decoding and decrypting things in base64 and shifted with Caesar Cipher with no results. In the end, again, just misleading things. However, _test subpage looked different from the other ones, even though that, at a first glance, I thought it was just a documentation page for some software. Checked the source code, didn’t find anything.
I didn’t know anything about this and I searched on Google and I found that there was an exploit for this. It looked like by keeping to enumerate, I found what I had to find.
7. The interesting file name in the folder?
As I said before, there was an exploit available, unfortunately, I didn’t find a CVE code for it, but you can search it on exploit-db by Sar2HTML 3.2.1. An exploit quite easy to use, you can find all the details there.
I added the ls command to be executed and when I went in the “Select Host” dropdown menu, I found several files, among which was also the file needed for this question.
[Task 2] Questions #2
Since we were able to execute commands with that exploit and found an interesting file, my next step was to read the file and see if I can find anything useful there.
Well, I found an username and a password in that file! The following thing I did was to try to connect to the server using what I found.
1. Where was the other users pass stored(no extension, just the name)?
After connecting, in the home page of the user I found a script which contained another set of credentials, being the answer for this question.
2. user.txt
Since there was nothing that could be a flag file here, I connected with the new credentials I found to see if I can get anything for the user flag.
By listing all the files inside the home directory for this second user, I found a file where the user flag was contained.
3. What did you exploit to get the privileged user?
The first thing I did was to check if I can run anything with sudo. There was an answer but, again, there was a misleading thing where the author of the machine made fun of me. :))
There wasn’t anything in the cron jobs that could help, the other user didn’t have anything useful for this. I came to the conclusion that maybe I should scan for vulnerabilities so I uploaded linpeas.sh to perform the analysis. I couldn’t do it by starting a http server with python since wget binary was not found on the victim’s machine so I connected with sftp and uploaded it like this.
After the script finished running, in the SUID files there was an executable that had a very high probability of exploit in order to get privilege escalation, you can also see that it’s highlighted with red and yellow, like in the legend of linpeas.
4. root.txt
Now that I found the executable to exploit, let’s get root access. I hid the command I used to escalate the privilege since it is related to the previous question but you can find how to exploit after you find out which is the executable from the task before. After getting a root shell, I also got the root flag.
That was all, I hope you liked this challenge and its walkthrough and you found them useful. I can say that I really enjoyed this CTF!
