Lian_Yu
🔗 Lian_Yu
Task 1 - Deploy the machine
🎯 Target IP: 10.10.95.230
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
Of course, start to check information scanning open ports:
command | result |
---|---|
sudo | run as root |
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
T4 | run a bit faster |
oN | output to file with nmap formatting |
It looks like there are 5 open ports on the machine: 21,22,80,111,52286.
Now, we need to search which services are running on open ports:
Task 3 - Find the flags
3.1 What is the Web Directory you found?
Then we can start to see website (port 80):
We find this info in the footer of website:
Note: Hi Everyone, I am a huge fan to Arrowverse, I built this vm concept based on Arrow (first season) you will find a few things similar here and I posted this Content here just to entertain you, To complete this CTF it isn't mandatory to have knowledge on Arrrowverse series. I hope you will Enjoy the content and have fun :).
We continue exploring web source code to find eventual information disclosure.
No other informations, another good thing to do, is find hidden paths on website using gobuster
Very bad, we find only index page that we've just see.
We can try to use a bigger wordlist such as directory-list-2.3-medium.txt
Excellent! We find a new web path: /island, search it!
Note this code word: vigilante.
We can try to retake another dirbuster search starting with island/ web path:
Then, we can answer at first question.
2100
3.2 What is the file name you found?
Explore /2100 web page:
Viewing source code:
we see this info:
you can avail your .ticket here but how?
Retaking another dirbuster search starting with 2100/ web path, we see that there're nothing, then we can try to custom dirbuster search using .ticket extension:
Wow, we've the path to the ticket which is the answer to this question as well.
green_arrow.ticket
3.3 - What is the FTP Password?
Open it we see this potential encrypted word, then we can use CyberChef to decrypt it.
After multiple trial and error attempts, we can determine that this is a Base58 encoding.
Remember that we've a potential username: 'vigilante', then we try to login with ftp:
Download these resources using mget *
command.
There're three images with potential hidden info inside.
The 'Leave_me_alone.png' image is corrupt, seeing header we see that's not '.png':
then we can modify it using hexeditor and display it, getting information about psw:
Perfect, we can try to extract info using steghide tool and psw retrevied few time ago:
The content of shado file can be more interesting!
!#th3h00d
3.4 - What is the file name with SSH password?
Trying the same FTP credentials we can't access with SSH.
Then, we've try to use the same username and brute force psw using Hydra, but it doesn't work.
First to brute force user and psw, we can try to re-access with FTP and check home folder of system users:
Very good, we find another user: slade, and probably ssh psw matched into shado file (M3tahuman).
Try it!
Well done!
shado
3.5 - Find user.txt flag
Using find command we can search quickly user flag and open it with cat:
3.5 - Find root.txt flag
We can do sudo -l
command to discover user's permissions.
Very good pkexec has root permission!
Search on GTFOBins (https://gtfobins.github.io/) and find our exploit:
Run it to became root and find flag (how the last task):