Boiler CTF
Room Link: https://tryhackme.com/room/boilerctf2
Initial Scan
Kali

Scan all ports
Kali

TCP/21 - HTTP
Kali



TCP/80 - HTTP
Kali




Kali




Initial Shell
Exploit: https://www.exploit-db.com/exploits/47204

Kali
Browser command

Get autocomplete
There is a file that has credentials

It was also possible to view from the browser

TCP/55007 - SSH
Kali

There is a backup.sh script that is owned by user stoner, which has his credentials.

Kali

Privilege Escalation
We can exploit SUID for the find command
Exploit: https://gtfobins.github.io/gtfobins/find/
Victim

Had to specify the full path, it doesn't work if you don't
Victim

Last updated