CTF TryHackMe

THM CTF: Boiler CTF

Task 1 – Questions #1

Intermediate level CTF. Just enumerate, you’ll get there.

We run nmap first nmap to enumerate ports, we notice web, ftp and ssh open.

nmap -sV -sC -Pn -p- -v 10.10.206.160

Nmap scan report for 10.10.206.160
Host is up (0.020s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.11.22.188                                                                                
|      Logged in as ftp                                                                                                
|      TYPE: ASCII                                                                                                     
|      No session bandwidth limit                                                                                      
|      Session timeout in seconds is 300                                                                               
|      Control connection is plain text                                                                                
|      Data connections will be plain text                                                                             
|      At session startup, client count was 3                                                                          
|      vsFTPd 3.0.3 - secure, fast, stable                                                                             
|_End of status                                                                                                        
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))                                                                 
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry 
|_/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
10000/tcp open  http    MiniServ 1.930 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 7A89A2BD40E0AA88430233D60AA82EB4
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
55007/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
|_  256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We connect to the ftp anonymously and check for files

ftp ftp@10.11.22.188

ls -la

wget .info.txt

Bonus: The info.txt has some encoded code. This is ROT13. I passed this to CyberChef and unencoded it.
https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,13)&input=V2hmZyBqbmFncnEgZ2IgZnJyIHZzIGxiaCBzdmFxIHZnLiBZYnkuIEVyenJ6b3JlOiBSYWh6cmVuZ3ZiYSB2ZiBndXIgeHJsIQ
This returned…
Just wanted to see if you find it. Lol. Remember: Enumeration is the key!

File extension after anon login

txt

Check our nmap scan from earlier for the next two answers..

What is on the highest port?

ssh

What’s running on port 10000?

Webmin

searchsploit webmin

Can you exploit the service running on that port? (yay/nay answer)

nay

Enumerating the webserver for extra directories, we notice some useful ones here.

└─$ gobuster dir --url http://10.10.206.160/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.206.160/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 292]
/.htaccess            (Status: 403) [Size: 297]
/.htpasswd            (Status: 403) [Size: 297]
/index.html           (Status: 200) [Size: 11321]
/joomla               (Status: 301) [Size: 315] [--> http://10.10.206.160/joomla/]
/manual               (Status: 301) [Size: 315] [--> http://10.10.206.160/manual/]
/robots.txt           (Status: 200) [Size: 257]
/server-status        (Status: 403) [Size: 301]
Progress: 4727 / 4727 (100.00%)
===============================================================
Finished
===============================================================
What’s CMS can you access?

Joomla

Keep enumerating, you’ll know when you find it.

The interesting file name in the folder?

log.txt

Task 2 – Questions #2

You can complete this with manual enumeration, but do it as you wish

Where was the other users pass stored(no extension, just the name)?

backup

user.txt

You made it till here, well done.

What did you exploit to get the privileged user?

find

root.txt

It wasn’t that hard, was it?”

Related Posts

THM CTF: Lateral Movement and Pivoting

I’m excited and keen to learn more information regarding lateral movement and pivoting. This is a write up of the TryHackMe Lateral Movement and Pivoting room. https://tryhackme.com/r/room/lateralmovementandpivoting In…