Tryhackme | Boiler CTF write-up

This is a free tryhackme room and is medium leveled.

Task 1 :

Let’s always start out journey by performing a Nmap scan.

Output of a nmap fast scan

Looks like FTP is open and Anonymous login is allowed. Let’s get into that.

Seem’s like there’s only 1 file here

That would be our first answer for our task.

Opening up the file gives us some weird hash.

This looks like a common hash.

So I went to Cyberchef and figured out it was ROT13 but it gave me nothing.

You got me.

Our next questions say that there is another higher port? Huh?

So I ran nmap the second time to scan all 65535 ports.

nmap -p- $IP -T5 -sV

Indeed there is a higher port!

For the third question, you can find the answer in the nmap scan.

To find out whether you can exploit the port, a quick google can find you the answer.

Now to find out what CMS we can access, we should enumerate the webserver with Gobuster

Hm maybe robots.txt can help us

I went on to tried all the directories but it was just a rabbit hole, there was also a hash below it, but again it was a rabbit hole.

Like the .info.txt said

Remember : Enumeration is the key!

Perhaps we have to run gobuster to find more sub-directories inside .

That’s a lot of directories to check.

After going through each (seriously) directory, the one that stood out for me was /_test .Opening up the directory reveals something about sar2html

Sar2html exploit?

Searching online leads me to an exploit on Exploit-DB.

I then used a python reverse shell to get into a server and retrieve the interesting file. Which reveals the username and password for our first user.

Username :basterd

Password :superduperp@$$

Let’s login into the ssh server on the higher port.

We’re in.

You can spawn a better shell by using python if you want to.

There seems to be only 1 file and it’s named ‘backup’. Let’s check it out

Another credential?

You can try running sudo on basterd but it doesn’t work. Let’s change user.

Changed

Let’s check out files inside

Always checkout hidden files!

Maybe this user has sudo permissions.

Maybe not.

When we’re stuck like this, it’s best to bring tools to the victim. So I netcat linpeas.sh to this server we’re I find a SUID to get to root.

Let’s create a dummy file to test out find.

It’s out puts as root

Now let’s change the input of the victim.txt to this.

usermod -aG sudo stoner

Now let’s run the exploit with the find command

Now we can run everything!

Now let’s spawn a shell with root permissions

I’m root!

Now let’s get that flag!

Ngl it was pretty hard.

And that’s all for this room!