Lian-Yu

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.26.138

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80,111

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 21,22,80,111 -oN nmap 10.10.26.138

Enumeration

Port 80: HTTP

Lets visit the website

Its an introduction to the series The Arrow (I personally recommend you to watch it, its really good). Nothing of interest, we do have possible usernames, so lets add that to our notes.

Now lets run gobuster to find hidden directories or file on the webserver. I tried few wordlists, but nothing showed up except this one (directory-list-2.3-small.txt)

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.26.138/

Lets visit this page.

We don't see the code word they talk about, so lets go to the source page and see if it is there.

We found something interesting, it looks like a username, lets add it to our possible usernames list.

Lets now run a gobuster on the directory we found.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.26.138/island

We found a directory (also the answer to the third question) , lets go explore it.

Its a page with a video that does not load, lets look at the source code.

It says you can avail your .ticket, which looks like a extension, so why don't we use gobuster to find files with the extension .ticket.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.26.138/island/2100 -x php,html,.ticket

We found a file called green_arrow.ticket which is the answer to the third question.

Lets go visit this page.

Looks like some sort of code, lets crack it using Crackstation

!#th3h00d , this might be the password for ftp on this machine, lets go check it out. This is also the answer to the fourth question.

Port 21: FTP

We found the username vigilante a few steps back so lets try to login with these credentials.

Username: vigilante

Password: !#th3h00d

ftp 10.10.26.138

Lets list the file in the ftp server.

It looks like we have 3 files, lets transfer them all to our machine using the command get

get <file-name>

We can also see another file called .other_file

Lets transfer this file too.

get .other_file

Lets read the file

cat .other_file

From this file, we can say that sladecan be another username

Lets also try to see the image files. For some reason we cannot open the file Leave_me_alone.png, it may have some errors, so lets look at the hexdump to check if it has any errors. Lets use the command xxd for this task.

xxd Leave_me_alone.png > hexdump

Lets read the file

Looking at the first line, we can see some errors as the first 16 characters of a png file should be: 89 50 4E 47 0D 0A 1A 0A. So lets change that. To change these numbers, we can use the tool hexeditor.

hexeditor Leave_me_alone.png

Now lets change it.

Now save it with (Ctrl + x). We can now see the image.

It looks like we found a password which is password

Lets now explore the other files. We can use steghide to find hidden files in files.

steghide --extract -sf aa.jpg 

They ask a password , and we found a password which is password. We now have zip file called ss.zip. Lets unzip it and check what is contains.

unzip ss.zip

Looks like we have two new files called passwd.txt and shado. Lets read them

cat passwd.txt

Nothing of interest. Lets read the other file

cat shado

This looks like the password for ssh. Lets login with the username slade that we found a while back and the password M3tahuman we just found.

ssh slade@10.10.26.138

And we are logged in! We can go get the user flag.

Now we can answer questions 5 and 6

Privilege Escalation

Lets run sudo -l to see what we can run as other users.

sudo -l

We can run /usr/bin/pkexec as root, lets go to GTFOBins to find the command to privilege escalate to root. They command they used is

sudo pkexec /bin/sh

We are now root, we can go to /root directory and read the root.txt file which is the answer to the last question of this room.

Last updated