{THM} Boiler
Last updated
Last updated
Another day, another adventure on the CTF challenge. This time Iβm going to do a write-up on Boiler CTF. This is an intermediate CTF challenge. This room is written by MrSeth6797 who also a creator for the simple CTF challenge. Without further ado, letβs jump into the rabbit-hole.
As the title said, Enumerate is the key to this challenge. First and foremost, fire up your nmap with the following command.
nmap -Pn -A -v <MACHINE IP>
From this result, it appear 3 port are open. Since 2 web port is open I do directory scan to find any valuable directory.
Next, let login ftp since it allow anonymous login. This ftp donβt have any file at first glance.
So, we must check hidden directory by putting la.
GOTHCA.. We found secret file. Next let see what this mean. I use dcode.fr first to determine what this. Its ROT13.
Just wanted to see if you find it. Lol. Remember: Enumeration is the key!
Rabbits hole!.
Next we check on port 80. It have robots.txt directory.
That number are in ASCII. Then Base64 and MD5;.
Kidding.
Next I do check for port 10000. It show webmin running on this. Let try check it this machine vulnerable or not.
Unfortunately, this port nor vulnerable. Let see our directory scanning. It appear joomla CMS.
Let continue enumarate this joomla.
Looks something here. For files and database just another rabbit hole. But for test it appear to have it own
sar2html??? HMM. No idea. Googling and found that sar2html have vulnerable.
BOOM.!! We got credential bois.
Let login using ssh in port 55007.
We in as basterd. Before going further, let make it stable connection.
Something phishify in this directory were it have shell . After looking around, it appear to have another credential. HOW LUCKYY!!
We now stoner. Let check it directory, It show this user have hidden file.
So the first flag we found. Next let escalate as root.
Like always, since we have user password, let check sudo permission for this user.
HMM,<> another trolll.. IT okey, we still have other method.
find / -user root -perm /4000
Yeah. Finally we see something. Let execute it. I use find to escalate as root.
We in and got flag. Thatβs all for the boiler CTF write-up. Hope you learn something new and see you again!