Boiler-CTF Walkthrough
Boiler-CTF is a intermediate level ctf on Tryhackme.
So as usual, we will start with the OG, Nmap Scan.
Command: nmap -A -p- -T5 <Target IP>
As we can see FTP port is open,
so we will login into ftp with anonymous login,
After login we can see there is a file named as .info.txt
we will download it and see what it says,
We can notice here that it is a ROT 13,
we will decode that and let’s see what is this?
It’s just a prank………..
so if we use go buster for directory busting,
Command: gobuster dir -u <target> -w /path/to/word/list
We can see a CMS named as Joomla….
Now we have to manually enumerate the CMS to find directories.
After some time, I found this directory names as _test.
Now we can use the url to inject our commands,
No we can use “cat log.txt” to read the file.
I think now we have the password for ssh login for “basterd”.
Command: ssh -p <port> basterd@<target IP>
Now here is a file named as backup.sh, let’s see what’s inside this file…
Here we can see a user and password, let’s switch to this user and see what’s there…
Now here is a file named as .secret.
So we have found the user flag.
Now we have to escalate privilege to get the root flag..
We will search for 4000 permission to exploit that thing.
Command: find / -perm -4000 2>/dev/null
Here We can see a interesting thing named as “find”
Now we will use GTFObins to find command for escalating to the root user.
Now after using this command, we are a root user now….
And here we got the Root Flag….
