Boiler CTF room

I used to start any box enumeration with nmap tool :

the result of the nmap enumeration :

I think it sufficient to start attacking services:

As stated in nmap result we can connect to ftp with anonymous account :

Their 's a file let's discover :

it seems like a encrypted test i m thinking about ROT13 yes when decrypted text without any value

😂😂😂😂😂 i think the creator of this box is a joke maker also 😂😂

Let's move to the next service HTTP in port 80 using résult from nmap :

Another code , so i tried to decode Nothing found, ok let's bruteforce directories

Huuum a Joomla CMS :

i tried to visit every folder in joomla in found :

Yes sar2html app :

After looking at google this version suffer from Remote Command Execution so let's exploit:

it s so easy with ls the cat command of the file log.txt you are going to find some credential that will give you ssh access :

great in the backup.sh you are going to find the password for another user great

it s easy and then switch to (stoner) :

so the user flag is found so now i haveto look for root flag priv escalation time :

Huuum ok

I see find command let s see gtfobin to exploit this command :

i think now it s easy for root flag

It was funny box i enjoyed and learned many things

See you .. don t forget to drop me a comment

Kind regards

Abdel

OffensiveNoob