June 4, 2021

THM Boiler CTF

This room took me longer than I was expecting due to having to enumerate the site a ton to find the pages that were needed. First thing first I need to enumerate the ports on the machine and to do that I will use nmap.  nmap -sV -sC -p- -oA server/nmap <IP ADDRESS> that is the command that I used to look for all ports open on this machine.  There were a few that were open 21, 80, 10000 and a high port that I don't want to give away to make it interesting. I will tell you that the high port was a SSH port on the machine.

Port 21 will allow anonymous FTP. Using ls -la I noticed that there is a file there that is hidden, so I downloaded the file and then opened it up to take a look at the contents of the file. The file contained the following text Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl! and that looks eriely like a Caeser Cypher (ROT 13). I use the following command in the terminal to get the plain text from this echo "Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl!" | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' I will let you run that command to get the text but this is a dead end.

So, what next? Time to start running gobuster to see what is on port 80. The command that I run to do this is gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt. I would even pipe that to a tee command to save the output of the command in a text file to save for later. After running that command you will notice the folder joomla on the server. Once I had the site loaded I poked around a little bit but I didn't notice anything that looked like I could exploit. Since the phrase 'Keep Enumerating' comes up a lot time to enumerate the joomla directory.

After running the gobuster command, similar to the one above, I noticed that there are a few strange directories _files and _test. Let's take a look at the _files directory first. When I got to the page I am greeted with the following text VjJodmNITnBaU0JrWVdsemVRbz0K. That looks to be base64 encoded text so let's see about decoding that text. The command to do that is echo "VjJodmNITnBaU0JrWVdsemVRbz0K" | base64 -d and the output is V2hvcHNpZSBkYWlzeQo= and that is also base64 encoded. One more time of manual conversion before having to script this. The text that is displayed is another dead end Whopsie daisy.

Since that didn't work now let's take a look at the _test folder. That is interesting, there is something called sar2html and I don't know what that is. Time to work on the Google skills and see what it is and if there is an exploit that can work on this site. According to a page I found on SourceForge.net this program converts sar binary data to a graphical format and keeps the historical data in a database.  Sar binary data is a System Activity Report that is used to report on various systems loads. After some more looking there is an exploit that is available on Exploit-DB.

The exploit that I found allows you to do a RCE on the server. After getting this to work I run ls -la to see what files are available to look at. One interesting file is a log.txt and I will run the cat command on it to see the contents of the file.  The output of the file has a username/password stored in it Aug 20 11:16:26 parrot sshd[2443]: Server listening on port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for USERNAME from port 49824 ssh2 #pass: PASSWORD
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.

With a username and password the next step is to see if I can ssh onto the box using the found information. I am now on the machine and I am greeted with the very basic /bin/sh command prompt. To make this easier it is now time to get a more user friendly prompt so that ctrl+c doesn't kill my session. python -c 'import pty; pty.spawn("/bin/bash")' command will get you a better looking shell and the export TERM=xterm will give you tab completion.

The next thing that I will do is to see what is the present working directory and the contents of that.  pwd && ls -la those commands will do that exact thing and I see that there is only one file in there backup.sh. I want to pull that down from the server so I will use python3 -m http.server and then navigate to the IP Address:8000/FILENAME to get the contents of the files.

Now that we have the user.txt and it contains some credentials within it for the next step of this puzzle. To switch users in Linux I will use the su command. Once I am the other user on the box repeat some of the same steps as before. I will switch to the home directory for this new user and then see the contents of the directory. There is a .secret file and that is a dead end again. Running the sudo -l for this user is another dead end.

The next step that I will do is to see if there are any commands that have the SUID bit set on them. To do that I need to run this find / -perm /4000 -type f -exec ls -ld {} ; 2>/dev/null. There are some interesting files in there but there is the find command that seems strange to me.

Now it's time to go to the GTFOBins website and see how to use the find command against the user. According to the site you can use the command to execute commands as root. find . -exec /bin/sh \; is the example that they have given. I will use the command to list the contents of the /root folder and see what is there. There is a file called root.txt and I will use the command that I found to cat out the contents of the file.

And that is the end of this room. As always if you have any questions/comments please email me [email protected]. And as always have a great day.