Lian-Yu
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80,111
(-oN nmap): Saving it into a files called nmap
Enumeration
Port 80: HTTP
Lets visit the website
Its an introduction to the series The Arrow
(I personally recommend you to watch it, its really good). Nothing of interest, we do have possible usernames, so lets add that to our notes.
Now lets run gobuster to find hidden directories or file on the webserver. I tried few wordlists, but nothing showed up except this one (directory-list-2.3-small.txt
)
Lets visit this page.
We don't see the code word they talk about, so lets go to the source page and see if it is there.
We found something interesting, it looks like a username, lets add it to our possible usernames list.
Lets now run a gobuster on the directory we found.
We found a directory (also the answer to the third question) , lets go explore it.
Its a page with a video that does not load, lets look at the source code.
It says you can avail your .ticket
, which looks like a extension, so why don't we use gobuster to find files with the extension .ticket
.
We found a file called green_arrow.ticket
which is the answer to the third question.
Lets go visit this page.
Looks like some sort of code, lets crack it using Crackstation
!#th3h00d
, this might be the password for ftp on this machine, lets go check it out. This is also the answer to the fourth question.
Port 21: FTP
We found the username vigilante
a few steps back so lets try to login with these credentials.
Username: vigilante
Password: !#th3h00d
Lets list the file in the ftp server.
It looks like we have 3 files, lets transfer them all to our machine using the command get
We can also see another file called .other_file
Lets transfer this file too.
Lets read the file
From this file, we can say that slade
can be another username
Lets also try to see the image files. For some reason we cannot open the file Leave_me_alone.png
, it may have some errors, so lets look at the hexdump to check if it has any errors. Lets use the command xxd for this task.
Lets read the file
Looking at the first line, we can see some errors as the first 16 characters of a png file should be: 89 50 4E 47 0D 0A 1A 0A. So lets change that. To change these numbers, we can use the tool hexeditor
.
Now lets change it.
Now save it with (Ctrl + x)
. We can now see the image.
It looks like we found a password which is password
Lets now explore the other files. We can use steghide to find hidden files in files.
They ask a password , and we found a password which is password
. We now have zip file called ss.zip
. Lets unzip it and check what is contains.
Looks like we have two new files called passwd.txt
and shado
. Lets read them
Nothing of interest. Lets read the other file
This looks like the password for ssh. Lets login with the username slade
that we found a while back and the password M3tahuman
we just found.
And we are logged in! We can go get the user flag.
Now we can answer questions 5 and 6
Privilege Escalation
Lets run sudo -l
to see what we can run as other users.
We can run /usr/bin/pkexec
as root, lets go to GTFOBins to find the command to privilege escalate to root. They command they used is
We are now root, we can go to /root
directory and read the root.txt file which is the answer to the last question of this room.
Last updated