# Lian-Yu ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNT7V8lV5VFwy4QTBi%2F-MbNTLCaeo_g3J3Pg3kb%2Fimage.png?alt=media\&token=d8793591-2ad4-49bd-ad74-9aff9867b621) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.26.138 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNUaDy6q-hRwQJz0iN%2F-MbNUl5bGwLAI5Cu6GGh%2Fimage.png?alt=media\&token=88c09fbb-b360-4e73-a1be-b794a52fdc32) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80,111 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 21,22,80,111 -oN nmap 10.10.26.138 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNUaDy6q-hRwQJz0iN%2F-MbNV0cEi2J7jWg32rOu%2Fimage.png?alt=media\&token=37607f23-08d9-47fd-bb4a-207e57a0802d) ## Enumeration ### Port 80: HTTP Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNUaDy6q-hRwQJz0iN%2F-MbNVVRYhxEctjYr6qC4%2Fimage.png?alt=media\&token=6df37380-d5d7-48d4-9bb9-7b52800af9a0) Its an introduction to the series `The Arrow` (I personally recommend you to watch it, its really good). Nothing of interest, we do have possible usernames, so lets add that to our notes. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNUaDy6q-hRwQJz0iN%2F-MbNWCczRWmrI7jYnjZP%2Fimage.png?alt=media\&token=95484df6-44a8-4cf1-ae42-ea9d1b46f3c8) Now lets run gobuster to find hidden directories or file on the webserver. I tried few wordlists, but nothing showed up except this one (`directory-list-2.3-small.txt`) ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.26.138/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNWEEKsh0Hti7yfoQQ%2F-MbNYHfx0xgM5-Y9ei2I%2Fimage.png?alt=media\&token=4a52380f-8cea-40d9-8c7a-f9211a8d5d74) Lets visit this page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNWEEKsh0Hti7yfoQQ%2F-MbNYNZGGQvD-eIBIVL8%2Fimage.png?alt=media\&token=04394407-6c8e-4c0b-ad21-0cd66c9fa24e) We don't see the code word they talk about, so lets go to the source page and see if it is there. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNWEEKsh0Hti7yfoQQ%2F-MbNY_iKPlg0GV8VR06V%2Fimage.png?alt=media\&token=91996fc0-90d2-44cd-940e-81c803723eef) We found something interesting, it looks like a username, lets add it to our possible usernames list. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNdzzK0WJwUZOKPSaK%2F-MbNeOOnIQSVD8mK8KIv%2Fimage.png?alt=media\&token=bb2ef4da-cbc9-40ee-bff7-5b1c14f74ced) Lets now run a gobuster on the directory we found. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.26.138/island ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNWEEKsh0Hti7yfoQQ%2F-MbNZlycn2Un83UrdO6X%2Fimage.png?alt=media\&token=1559b841-55bb-4104-9254-8d0e8b0a418d) We found a directory (also the answer to the third question) , lets go explore it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbN_Yaq2Zs9G3NRv4EX%2F-MbNcfWRyOUTT7dWDKr1%2Fimage.png?alt=media\&token=e9b290b4-70a6-42d4-80de-73282428a374) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNWEEKsh0Hti7yfoQQ%2F-MbNZtn2m00bgXPhqNHs%2Fimage.png?alt=media\&token=110a9651-8556-462d-87b7-912cc1bccde3) Its a page with a video that does not load, lets look at the source code. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNWEEKsh0Hti7yfoQQ%2F-MbN_-96N2k9ZGGTEBep%2Fimage.png?alt=media\&token=13800b36-25be-43d8-91ee-4f3856207fbd) It says you can avail your `.ticket`, which looks like a extension, so why don't we use gobuster to find files with the extension `.ticket`. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.26.138/island/2100 -x php,html,.ticket ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbN_Yaq2Zs9G3NRv4EX%2F-MbNdPvZvalzXfeYQCqH%2Fimage.png?alt=media\&token=76f5d393-e40f-4d99-a604-b7c7b8ce96fe) We found a file called `green_arrow.ticket` which is the answer to the third question. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbN_Yaq2Zs9G3NRv4EX%2F-MbNcj9H72ROenfnfBL2%2Fimage.png?alt=media\&token=711949a7-5af1-42dc-8d6e-53f625048bf4) Lets go visit this page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbN_Yaq2Zs9G3NRv4EX%2F-MbNcqViDplRyyVMMU7a%2Fimage.png?alt=media\&token=4983a230-2e17-4942-8981-959a90bed238) Looks like some sort of code, lets crack it using Crackstation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbN_Yaq2Zs9G3NRv4EX%2F-MbNdgsoomsR3cNTRtV1%2Fimage.png?alt=media\&token=c6d7bbc0-7673-4ab5-8580-54ca473b0455) `!#th3h00d` , this might be the password for ftp on this machine, lets go check it out. This is also the answer to the fourth question. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbN_Yaq2Zs9G3NRv4EX%2F-MbNdzAwlVyrsIreCP-X%2Fimage.png?alt=media\&token=a604c94e-c6df-4ec0-a655-c2bc1ead7297) ### Port 21: FTP We found the username `vigilante` a few steps back so lets try to login with these credentials. `Username: vigilante` `Password: !#th3h00d` ``` ftp 10.10.26.138 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNdzzK0WJwUZOKPSaK%2F-MbNebQzA__8FTVLlaeT%2Fimage.png?alt=media\&token=71e45d55-b60b-4813-9c0f-4bbcc2d091c2) Lets list the file in the ftp server. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNdzzK0WJwUZOKPSaK%2F-MbNf06Sobmh-DZaUdeN%2Fimage.png?alt=media\&token=4fd14a40-b52a-4faf-9769-568971e6ed66) It looks like we have 3 files, lets transfer them all to our machine using the command get ``` get ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNdzzK0WJwUZOKPSaK%2F-MbNfGwDu0400dOIn1_1%2Fimage.png?alt=media\&token=cefeec6b-d6b4-4cd7-959d-e60bab67f40b) We can also see another file called `.other_file` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNl8hZdBr4D3VpmJmZ%2Fimage.png?alt=media\&token=e14f1cc2-d2b6-4bcd-b23b-034a43ffc650) Lets transfer this file too. ``` get .other_file ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNlI5GdRS0CRM2CjhM%2Fimage.png?alt=media\&token=2138c32f-e2ed-45ab-887c-61a33c4aab60) Lets read the file ``` cat .other_file ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNm0F9ePdE58URGLSY%2Fimage.png?alt=media\&token=6ab73d5e-95d4-476e-a88f-d4e647bd2b08) From this file, we can say that `slade`can be another username Lets also try to see the image files. For some reason we cannot open the file `Leave_me_alone.png`, it may have some errors, so lets look at the hexdump to check if it has any errors. Lets use the command xxd for this task. ``` xxd Leave_me_alone.png > hexdump ``` Lets read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNgfcZlQ4Jd-AvJzdP%2Fimage.png?alt=media\&token=7fcaa640-d8e9-479e-b346-8bf735d15fc4) Looking at the first line, we can see some errors as the first 16 characters of a png file should be: 89 50 4E 47 0D 0A 1A 0A. So lets change that. To change these numbers, we can use the tool `hexeditor`. ``` hexeditor Leave_me_alone.png ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNhgbRwLdnzzWqryCa%2Fimage.png?alt=media\&token=4928c890-293a-44d2-b97d-059f19dd2d35) Now lets change it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNiH7k0UGi91x8GoZ-%2Fimage.png?alt=media\&token=f64342de-0e58-4905-bb8d-e65d74cd584e) Now save it with `(Ctrl + x)`. We can now see the image. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNi_u3tsS5_MbujFkf%2Fimage.png?alt=media\&token=6d738634-aa00-4e6a-99d3-bb7610a6edcb) It looks like we found a password which is `password` Lets now explore the other files. We can use steghide to find hidden files in files. ``` steghide --extract -sf aa.jpg ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNjA8Hg3uRVMFQosKS%2Fimage.png?alt=media\&token=f6c6992e-93c0-4935-9c1b-84a9aa2381cf) They ask a password , and we found a password which is `password`. We now have zip file called `ss.zip`. Lets unzip it and check what is contains. ``` unzip ss.zip ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNjkbW69moKJmcGDcY%2Fimage.png?alt=media\&token=fcc2d78d-0030-47ef-afb9-0787fb1bec0d) Looks like we have two new files called `passwd.txt` and `shado`. Lets read them ``` cat passwd.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNk-j2QamSUcF_Kz6e%2Fimage.png?alt=media\&token=9cde5599-ab77-4c42-9d0b-62dca37ae5f8) Nothing of interest. Lets read the other file ``` cat shado ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNkHWeU-tV27cJcLbM%2Fimage.png?alt=media\&token=6f3a4f81-27ba-4c07-9b36-a55047278318) This looks like the password for ssh. Lets login with the username `slade` that we found a while back and the password `M3tahuman` we just found. ``` ssh slade@10.10.26.138 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNmYL0ODzeOZLpEA9I%2Fimage.png?alt=media\&token=1cc22bb4-c221-4be8-9932-61a3945aec51) And we are logged in! We can go get the user flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNmedSW4M_in8CCvFt%2Fimage.png?alt=media\&token=5ef57468-185f-4155-ad79-9279178854bd) Now we can answer questions 5 and 6 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNmrUpJs2lf1C6RrOZ%2Fimage.png?alt=media\&token=675a00aa-976f-4c93-921e-c177c3793be2) ## Privilege Escalation Lets run `sudo -l` to see what we can run as other users. ``` sudo -l ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNn8k9pDOJoVnw9u3J%2Fimage.png?alt=media\&token=a5b8a086-5135-4d4a-b4c9-58388f907f60) We can run `/usr/bin/pkexec` as root, lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/pkexec/#sudo)to find the command to privilege escalate to root. They command they used is ``` sudo pkexec /bin/sh ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNfI3yX6jT1Dcd1Xlv%2F-MbNnThiUdc-JTu_fGn8%2Fimage.png?alt=media\&token=b23e0162-c847-47ad-8b3a-7d39c70486d9) We are now root, we can go to `/root` directory and read the root.txt file which is the answer to the last question of this room.