“Today we will be looking at Boiler CTF from TryHackMe. “
Task 1 Questions #1
Intermediate level CTF. Just enumerate, you’ll get there.
File extension after anon login
We can find the answer to this question with nmap scan.
If you look carefully, it says that it allows anonymous entries in the ssh block.
We use ftp port with login anonymous user and then we find file extension.
if we want to read the file, we use the get command.
After downloading and reading the file, we come across something like this.
We understand that there is caesar encryption, and we decode it.
good joke dude!
What is on the highest port?
You can find it by looking at the nmap scan result.
What’s running on port 10000?
You can find it by looking at the nmap scan result.
Can you exploit the service running on that port? (yay/nay answer)
We can’t find any exploit.
What’s CMS can you access?
We know that port 80 is open. We can do directory scan for directories matching whatever is in your chosen wordlist. I used dirb here. You can also lookup to some other directory searching tools like gobuster, dirb, etc. Moving on, use the following command with:
dirb http://ip/
And we found the joomla CMS.
Keep enumerating, you’ll know when you find it.
The interesting file name in the folder?
There are many challenge in _files,robots.txt, _archive and other directories, but if I show them all here, it may take a very long time, it would be more correct for you to deal with it yourself, you can do it using ascii and base64.
We can find in _test directory. This directory it comes out with sar2html.
We can do research google or searchsploit. We see that sar2html is affected by rce.
We can find how do you do exploit sar2html.
We have learned how to take advantage of it, now it’s time to practice.
We found interesting file. When we read it, it included the following.
Yeah, from here we can proceed. And the answer to your question has come out.
Task 2 Questions #2
You can complete this with manual enumeration, but do it as you wish
Where was the other users pass stored(no extension, just the name)?
We’re using the information above to break in.
backup.sh his file is getting my attention and I’m looking into it.
I am encountering the information of a user named stoner and I am switching to a stoner user.
user.txt
There is no user.txt here but we find a hidden file inside the stoner user himself.
What did you exploit to get the privileged user?
This is what greets us when we try to log in as a root user.
When we understand that there will be no way out of here, we try to go through suid bit.
We search through gtfobins and find /usr/bin/find.
I try and see that I am successful.
root.txt
We search and find root.txt with the following command.
find / -name root.txt 2>/dev/null
Suscess!
We found root txt.
So I completed it all.
This box was really fun! I love the ones that have a story/theme that goes along with them.
Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!
