Boiler CTF — TryHackMe
Let’s do what we always do Enumerate and then see if we can escalate our privilege to almighty root! We need to know if any open ports are available and the service in them,we can use nmap to know that.
sudo nmap -T4 -p- -A <Target_IP>
From the scan results we can observe that Anonymous ftp login is allowed ,lets login and see if we can find anything useful.
ftp <Target_IP>
As we can see ftp login is successful. But we can’t find any useful file there. However there is a text file lets download and see what it has! use get command to download to your local machine.
The file contains some cipher text decrypted it and hit a dead end there.
Now let’s look up for hidden directories using gobuster.
sudo gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://<Target_IP>/ -x php,html — wildcard
We have joomla cms that we can access. Visiting the webpage didn’t found any useful info to carry on further ! Let’s further enumerate this joomla directory, we can use dirb or gobuster!
Some directories lead to dead end ! however in the _test directory we have some information about sar2html this might be the key to access the machine! googled sar2html exploit and there is an exploit that we can carry out in exploitdb.
As the description says if we see index.php,we have to plot a url extension.
After the initial test we can see that it is vulnerable,now we can execute any command we want. List all the files.
In the select host drop-down menu we can see a file called log.txt now access the file by same way we listed the files!
Now in the drop-down we have a ssh user credentials. Let’s login using them.
Upgrade your shell using the command,
python -c ‘import pty;pty.spawn(“/bin/bash”)’
There’s no flag though! but we have a shell script file opening it we can find the login credentials of user stoner. Let’s login using those credentials!
Here we can find the user flag.Now let’s find a way to escalate our privilege to root!. Ran sudo -l to see if we have any commands to run as root! came up nothing.
Other way we can look into is to see for SUID binaries.Run the below command to see if we have any files with SUID bit,
find / -perm -u=s -type f 2>/dev/null
Well we can exploit find to get the root.Search in gtfobins to find the suitable command. Now run the command and we can get the shell as root!
By this we escalated our privilege to root and got the root flag!!
Thank You 🦇
Happy Hacking 👻
