Tryhackme | Boiler CTF write-up
This is a free tryhackme room and is medium leveled.
Task 1 :
Let’s always start out journey by performing a Nmap scan.
Looks like FTP is open and Anonymous login is allowed. Let’s get into that.
That would be our first answer for our task.
Opening up the file gives us some weird hash.
So I went to Cyberchef and figured out it was ROT13 but it gave me nothing.
Our next questions say that there is another higher port? Huh?
So I ran nmap the second time to scan all 65535 ports.
nmap -p- $IP -T5 -sV
For the third question, you can find the answer in the nmap scan.
To find out whether you can exploit the port, a quick google can find you the answer.
Now to find out what CMS we can access, we should enumerate the webserver with Gobuster
I went on to tried all the directories but it was just a rabbit hole, there was also a hash below it, but again it was a rabbit hole.
Like the .info.txt said
Remember : Enumeration is the key!
Perhaps we have to run gobuster to find more sub-directories inside .
After going through each (seriously) directory, the one that stood out for me was /_test .Opening up the directory reveals something about sar2html
Searching online leads me to an exploit on Exploit-DB.
I then used a python reverse shell to get into a server and retrieve the interesting file. Which reveals the username and password for our first user.
Let’s login into the ssh server on the higher port.
You can spawn a better shell by using python if you want to.
There seems to be only 1 file and it’s named ‘backup’. Let’s check it out
You can try running sudo on basterd but it doesn’t work. Let’s change user.
Let’s check out files inside
Maybe this user has sudo permissions.
When we’re stuck like this, it’s best to bring tools to the victim. So I netcat linpeas.sh to this server we’re I find a SUID to get to root.
Let’s create a dummy file to test out find.
Now let’s change the input of the victim.txt to this.
usermod -aG sudo stoner
Now let’s run the exploit with the find command
Now let’s spawn a shell with root permissions
Now let’s get that flag!
And that’s all for this room!