Home Projects CTF Writeups About

boiler ctf


I like to run <ip> -p- --open first to reveal all open ports and then this nmap scan to reveal information:

nmap 10.10.110.146 -p- -A

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

| ftp-syst:

| STAT:

| FTP server status:

| Connected to ::ffff:10.11.11.91

| Logged in as ftp

| TYPE: ASCII

| No session bandwidth limit

| Session timeout in seconds is 300

| Control connection is plain text

| Data connections will be plain text

| At session startup, client count was 1

| vsFTPd 3.0.3 - secure, fast, stable

|_End of status

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-title: Apache2 Ubuntu Default Page: It works

| http-robots.txt: 1 disallowed entry

|_/

|_http-server-header: Apache/2.4.18 (Ubuntu)

10000/tcp open http MiniServ 1.930 (Webmin httpd)

|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

55007/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 e3:ab:e1:39:2d:95:eb:13:55:16:d6:ce:8d:f9:11:e5 (RSA)

| 256 ae:de:f2:bb:b7:8a:00:70:20:74:56:76:25:c0:df:38 (ECDSA)

|_ 256 25:25:83:f2:a7:75:8a:a0:46:b2:12:70:04:68:5c:cb (ED25519)

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 64.11 seconds

images/147-1.png

Later ran ls -lsa, but it was a rabbit hole.

images/147-2.png

The dirb directory scan reveals this to be quite a juicy prospect.

images/147-3.png

Lots of enumeration to do, might be a brute force task, lets search for creds.

images/147-4.png

Quite a few of these codes laying around, base 64, rot24, but just rabbit holes.

images/147-5.png

images/147-6.png

images/147-7.png

images/147-8.png

Web directory search seems worthwhile.

images/147-9.png

images/147-10.png

Potential upload vulns available here.

images/147-11.png

images/147-12.png

images/147-13.png

Decided to check out the robots.txt

images/147-14.png

Is it a rabbit hole?

images/147-15.png

images/147-16.png

images/147-17.png

Yes, it looks like it was rabbit hole...again

Wait! what do we have here.

images/147-18.png

images/147-19.png

Oh yeah. RCE!

images/147-20.png

Creds

images/147-21.png

SSH access

images/147-22.png

No sudo, lets look around

images/147-23.png

More creds!

images/147-24.png

Contains a password for another user: stoner

images/147-25.png

Flag found!

images/147-26.png

images/147-27.png

After lot of searching:

images/147-28.png

This is actually the user.txt

images/147-29.png

Searched SUID binaries

images/147-30.png

GTFObins is awesome.

images/147-31.png

Root!

images/147-32.png