Boiler CTF | TryHackMe

Nihir Zala
4 min readFeb 7, 2023

--

Task 1 Questions #1

Intermediate level CTF. Just enumerate, you’ll get there.

File extension after anon login

We can find the answer to this question with nmap scan.

If you look carefully, it says that it allows anonymous entries in the ssh block.

We use ftp port with login anonymous user and then we find file extension.

if we want to read the file, we use the get command.

After downloading and reading the file, we come across something like this.

We understand that there is caesar encryption, and we decode it.

good joke dude!

What is on the highest port?

You can find it by looking at the nmap scan result.

What’s running on port 10000?

You can find it by looking at the nmap scan result.

Can you exploit the service running on that port? (yay/nay answer)

We can’t find any exploit.

What’s CMS can you access?

We know that port 80 is open. We can do directory scan for directories matching whatever is in your chosen wordlist. I used dirb here. You can also lookup to some other directory searching tools like gobuster, dirb, etc. Moving on, use the following command with:

dirb http://ip/

And we found the joomla CMS.

Keep enumerating, you’ll know when you find it.

The interesting file name in the folder?

There are many challenge in _files,robots.txt, _archive and other directories, but if I show them all here, it may take a very long time, it would be more correct for you to deal with it yourself, you can do it using ascii and base64.

We can find in _test directory. This directory it comes out with sar2html.

We can do research google or searchsploit. We see that sar2html is affected by rce.

We can find how do you do exploit sar2html.

We have learned how to take advantage of it, now it’s time to practice.

We found interesting file. When we read it, it included the following.

Yeah, from here we can proceed. And the answer to your question has come out.

Task 2 Questions #2

You can complete this with manual enumeration, but do it as you wish

Where was the other users pass stored(no extension, just the name)?

We’re using the information above to break in.

backup.sh his file is getting my attention and I’m looking into it.

I am encountering the information of a user named stoner and I am switching to a stoner user.

user.txt

There is no user.txt here but we find a hidden file inside the stoner user himself.

What did you exploit to get the privileged user?
This is what greets us when we try to log in as a root user.

When we understand that there will be no way out of here, we try to go through suid bit.

We search through gtfobins and find /usr/bin/find.

I try and see that I am successful.

root.txt

We search and find root.txt with the following command.

find / -name root.txt 2>/dev/null

Suscess!

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet