TryHackMe Boiler CTF(Medium)

NMAP

As always I run NMAP to check which ports are open. When I started to enumerate the box, I forget to put the “-p-” switch. Then I changed my command.

FTP has anonymous login but the interesting thing is ssh working on port 55007. It usually works on port 22. Before enumerating the websites, I will look at FTP as anonymous.

Nothing useful here. Time to start enumerate websites.

Gobuster

-Port 10000

Webmin is a known application, even I have a version number, I can’t exploit the application. I start looking on port 80.

-Port 80

Joomla is very interesting. I’m going to run Gobuster to /Joomla directory.

I enumerate almost all directories but the only thing I find useful “_test” directory. Sar2html was good to use.I will try some commend injection.

Command injection is here to use for getting a reverse shell!.I use reverse shell one line and encoded it.

Got reverse shell and ssh creds. Right now we can understand why the “-p-” switch is very important on NMAP.I use ssh credentials to get ssh shell.

I find one more ssh creds for user stoner. After this user, the next step will be rooted.

Privilege Escalation

Even I’m not good at privilege escalation, It was a little bit easy to find.
I run this command to find SUID commands. “/usr/bin/find” is interesting because I did privilege escalation before with “find”

ROOTED!