# Boiler CTF

{% embed url="<https://tryhackme.com/room/boilerctf2>" %}

## Enumeration

### Nmap

```bash
PORT      STATE SERVICE REASON         VERSION
21/tcp    open  ftp     syn-ack ttl 61 vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.4.8.123
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
10000/tcp open  http    syn-ack ttl 61 MiniServ 1.930 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 57145006BCFE9E70B46A00A23B429D66
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
55007/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8bsvFyC4EXgZIlLR/7o9EHosUTTGJKIdjtMUyYrhUpJiEdUahT64rItJMCyO47iZTR5wkQx2H8HThHT6iQ5GlMzLGWFSTL1ttIulcg7uyXzWhJMiG/0W4HNIR44DlO8zBvysLRkBSCUEdD95kLABPKxIgCnYqfS3D73NJI6T2qWrbCTaIG5QAS5yAyPERXXz3ofHRRiCr3fYHpVopUbMTWZZDjR3DKv7IDsOCbMKSwmmgdfxDhFIBRtCkdiUdGJwP/g0uEUtHbSYsNZbc1s1a5EpaxvlESKPBainlPlRkqXdIiYuLvzsf2J0ajniPUkvJ2JbC8qm7AaDItepXLoDt
|   256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIDkrDNUoTTfKoucY3J3eXFICcitdce9/EOdMn8/7ZrUkM23RMsmFncOVJTkLOxOB+LwOEavTWG/pqxKLpk7oc=
|   256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsAMyp7Cf1qf50P6K9P2n30r4MVz09NnjX7LvcKgG2p
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
```

### Directory discover

![](/files/jhySei1vPvxefd4EGxgR)

### Web page(80)

<figure><img src="/files/7rvrKSqRNl7Kye11Q7om" alt=""><figcaption></figcaption></figure>

#### manual page

<figure><img src="/files/tUQ7ZWd45dCvmr8eT9gV" alt=""><figcaption></figcaption></figure>

Here we got the version 2.4

#### joomla page

<figure><img src="/files/5DSbfW3oSjkJjjrCbzav" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/IJ8ELicaf710hqvHTxyG" alt=""><figcaption></figcaption></figure>

Interesting, it’s using a CMS and we have a login form here

#### Gobuster on joomla

```bash
gobuster dir -u http://10.10.38.202/joomla/ -w /usr/share/wordlists/dirb/common.txt

/_archive             (Status: 301) [Size: 322] [--> http://10.10.38.202/joomla/_archive/]
/_database            (Status: 301) [Size: 323] [--> http://10.10.38.202/joomla/_database/]
/_files               (Status: 301) [Size: 320] [--> http://10.10.38.202/joomla/_files/]
/_test                (Status: 301) [Size: 319] [--> http://10.10.38.202/joomla/_test/] O
/~www                 (Status: 301) [Size: 318] [--> http://10.10.38.202/joomla/~www/]
/administrator        (Status: 301) [Size: 327] [--> http://10.10.38.202/joomla/administrator/] O
/bin                  (Status: 301) [Size: 317] [--> http://10.10.38.202/joomla/bin/]
/build                (Status: 301) [Size: 319] [--> http://10.10.38.202/joomla/build/] O
/cache                (Status: 301) [Size: 319] [--> http://10.10.38.202/joomla/cache/]
/components           (Status: 301) [Size: 324] [--> http://10.10.38.202/joomla/components/]
/images               (Status: 301) [Size: 320] [--> http://10.10.38.202/joomla/images/]
/includes             (Status: 301) [Size: 322] [--> http://10.10.38.202/joomla/includes/]
/index.php            (Status: 200) [Size: 12478]
/installation         (Status: 301) [Size: 326] [--> http://10.10.38.202/joomla/installation/] O
/language             (Status: 301) [Size: 322] [--> http://10.10.38.202/joomla/language/]
/layouts              (Status: 301) [Size: 321] [--> http://10.10.38.202/joomla/layouts/]
/libraries            (Status: 301) [Size: 323] [--> http://10.10.38.202/joomla/libraries/]
/media                (Status: 301) [Size: 319] [--> http://10.10.38.202/joomla/media/]
/modules              (Status: 301) [Size: 321] [--> http://10.10.38.202/joomla/modules/]
/plugins              (Status: 301) [Size: 321] [--> http://10.10.38.202/joomla/plugins/]
/templates            (Status: 301) [Size: 323] [--> http://10.10.38.202/joomla/templates/]
/tests                (Status: 301) [Size: 319] [--> http://10.10.38.202/joomla/tests/] O
/tmp                  (Status: 301) [Size: 317] [--> http://10.10.38.202/joomla/tmp/]
```

Inside the `_test` directory we got into this page:

Here we can see you can upload a file and a `tar` file that we can download, so let’s just download it

<figure><img src="/files/cKG6Y3WPMbAfXC7Sesue" alt=""><figcaption></figcaption></figure>

Great, now we have the version of sar2html

let’s see if we can find something interesting on exploit.db

<figure><img src="/files/RdOnshfLifAc41qJJSvn" alt=""><figcaption></figcaption></figure>

#### RCE

{% embed url="<https://www.exploit-db.com/exploits/49344>" %}

Sweet, right the way we got a RCE vulnerability

<figure><img src="/files/lONdShWd974KjPwONi3o" alt=""><figcaption></figcaption></figure>

We got a some username here **stoner** and **basterd** maybe we can use on ssh

<figure><img src="/files/Ri6OuhWM4DHrputvWtHU" alt=""><figcaption></figcaption></figure>

### Misc

robots.txt

<figure><img src="/files/Gi9XSCLlZQSgOvXz6AI9" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**decode to ascii - > OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK - > 99b0660cd95adea327c54182baa51584 - > kidding (probably creds)**
{% endhint %}

#### port 10000

<figure><img src="/files/4auwLsOhsKXrVAPz3Zid" alt=""><figcaption></figcaption></figure>

#### ftp port 21

<figure><img src="/files/owzDorBvrMiSUaIim9R5" alt=""><figcaption></figcaption></figure>

### SSH (55007)

Here we ssh as basterd with on port 55007

The password is something we decoded former (kidding)

<figure><img src="/files/JUI16hxL3PQbMlYUway6" alt=""><figcaption></figcaption></figure>

when checking the directory list we got some important creds stored inside backup.sh seems like it’s stoner’s creds

<figure><img src="/files/DFvuDszu9hkJBL8nNIp2" alt=""><figcaption></figcaption></figure>

So, let’s change our user to stoner

Turns out there’s no **user.txt** but the **.secret** is the flag itself lolz

<figure><img src="/files/V3xgMhGZ7LPCBPZO6ThT" alt=""><figcaption></figcaption></figure>

### Root

{% embed url="<https://gtfobins.github.io/gtfobins/find/>" %}

Let’s escalate our privilege, again same old SUID

<figure><img src="/files/o15eY8gM7D0Mj9uozdQ8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/boiler-ctf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.