TryHackMe Boiler CTF(Medium)
NMAP
As always I run NMAP to check which ports are open. When I started to enumerate the box, I forget to put the “-p-” switch. Then I changed my command.
FTP has anonymous login but the interesting thing is ssh working on port 55007. It usually works on port 22. Before enumerating the websites, I will look at FTP as anonymous.
Nothing useful here. Time to start enumerate websites.
Gobuster
-Port 10000
Webmin is a known application, even I have a version number, I can’t exploit the application. I start looking on port 80.
-Port 80
Joomla is very interesting. I’m going to run Gobuster to /Joomla directory.
I enumerate almost all directories but the only thing I find useful “_test” directory. Sar2html was good to use.I will try some commend injection.
Command injection is here to use for getting a reverse shell!.I use reverse shell one line and encoded it.
Got reverse shell and ssh creds. Right now we can understand why the “-p-” switch is very important on NMAP.I use ssh credentials to get ssh shell.
I find one more ssh creds for user stoner. After this user, the next step will be rooted.
Privilege Escalation
Even I’m not good at privilege escalation, It was a little bit easy to find.
I run this command to find SUID commands. “/usr/bin/find” is interesting because I did privilege escalation before with “find”
ROOTED!