Boiler CTF Write-up

Description

Boiler CTF is a boot2root machine on TryHackMe. The room has the difficulty “Medium”. After enumerating for a while we find a vulnerability in a web application. This web application contains a command injection vulnerability, which we will utilize to read SSH credentials. After login into the machine with these credentials, there will be a “backup.sh” script inside the home folder. This home folder contains again some credentials. These credentials are then used to SSH again into the machine as another user. The final privilege escalation to root was done with a misconfigured SUID binary.

Enumeration

First of all we start with a Nmap scan. The initial scan will show us 3 open ports:

The next scan will scan for all ports. Here we will find out that four ports are actually open.

Another Nmap scan with scripts and service enumeration will give us more detail about the services which are running on the target.

After that we can inspect the landing page of the web server on port 80. It is the default Apache 2 Ubuntu landing page.

We can now enumerate if there are any hidden directories. For this reason we will look if there is a “robots.txt” file. And indeed there is one.

All of these directories are just rabbit holes. But there are strange numbers inside the “robots.txt” file. Taking a closer look at these numbers, reveals that these are in the range of ASCII characters. So we can quickly use Python to decode the message:

Output:

This string looks like base64 encoded. To decode this string we can use CyberChef.

The Hash that was outputted, seems like a MD5 hash. So we can use a site like Crackstation to crack that hash.

Crackstation will successfully crack it. But spoiler alert: This is also a rabbit hole.

Next we can enumerate the FTP service on port 21. Like the Nmap scan has outputted, it allows anonymous login. So connect to the FTP server via the following command.

Next we can log in with the username “anonymous” and a blank password. Listing the contents shows that there is a file called “.info.txt”. We can download this file.

Opening the file shows us a text that looks like a ROT13 encoded cipher.

We can easily decode it with CyberChef. But this is also just a Rabbit Hole.

Next we can look at the web service running on port 10000. Calling the URL https://10.10.120.184:10000/ will take us there. It is running Webmin. But we cannot exploit this service.

Next we have to start more enumeration. We will use fuff to enumerate some directories of the web server on port 80. First of all run an enumeration attempt with the “directory-list-2.3-medium.txt” from SecLists. The following fuff command will start the enumeration:

We will see that two directories exists: “/manual” and “/joomla”.

Next we will start further enumeration inside the “/joomla” page. With the same word list we can find the directory “_files”.

This string is double encoded with Base64. But unfortunately it is also just a rabbit hole.

Finally ffuf will not find any other interesting files. So I started another enumeration attempt with another wordlist.

This time I could find another directory. The directory is called “_test”.

It is running “sar2html”:

A quick Google Search for exploits showed that there is a command injection vulnerability for “sar2html 3.2.1”.

Initial Access

We will be using the vulnerability described at https://www.exploit-db.com/exploits/47204. We can inject commands into the “plot” parameter and will get the result as option inside the drop down menu of “Select Host”. With this knowledge we can try to inject the whoami command to test if this web app is vulnerable.

And it works! So we can now list the contents of the directory. We will find an interesting file called “log.txt”.

We can also read this file with the cat command:

It contains an username and a password. We will try to use this to log into the machine via SSH. Remember that the SSH server is running on port 55007.

After the SSH login we can spot a file called “backup.sh” inside the home folder of the basterd user. We can also read this file. It contains the username “stoner” and his password.

We can now log in as “stoner” via SSH:

We can now read the “.secret” file inside the home folder of the “stoner” user.

Privilege Escalation

To find misconfiguration on the server, I will use Linpeas. I have downloaded it to my machine and serve a web server to transfer it to the victim. Run the following command inside the directory, where you have stored Linpeas.sh on your attacker machine:

After that you can run the following command on the victim to download and run the script:

After waiting and analyzing the output I could spot a misconfigured SUID binary:

We can now spawn a root shell by running the following command:

Finally we can read the root flag.

Mitigation

Never follow the principle security through obscurity. This will just make an attack take longer, but won’t prevent it. So the vulnerable “Sar2HTML” service should be updated. Furthermore credentials should not be stored in plain text. Also misconfiguration with the SUID bit should be avoided. As we can see in the output above, stoner is inside the lxd group. This group can also be abused escalate privileges to root. stoner should be removed from the lxd group if stoner does not need access to that group.

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!