Categories
Capture The Flag

Lian_Yu: TryHackme Walkthrough

tryhackme

This post is a walkthrough of an Arrowverse themed beginner CTF box on Tryhackme.

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

Nmap Scan

Nmap Scan

Port 80 is open and running so let’s look at the webpage first. Looks like the creator of this CTF challenge is a huge Arrow fan!

arrow

The First step is to check the page source and robots.txt but no interesting information found there, so let’s move to enumeration.

gobuster dir -u http://10.10.112.241/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster scan

Looks like we have found a directory /island let’s look at it.

/island directory

The webpage looks like this at first instance but when I saw the source code I realized the the code word is also given in the but is in the white text.

the code word reveal

So here we got our code word vigilante which just appeared by highlighting the page.

I then ran gobuster again with the addition of the new directory I had found:

gobuster dir -u http://10.10.112.241/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
gobuster scan
        Now let’s check /island/2100
/island directory

There is nothing relevant on the page here so let’s check the source code maybe we will find something interesting there.

source code

It is telling something about .ticket it might be a hidden directory or a .ticket extension, I then ran gobuster once more, but this time, I ran with an extension:

gobuster dir -u <http://10.10.112.241/island/2100> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
gobuster scan

Going to http://10.10.112.241/island/2100/green_arrow.ticket we’ll see this

/green_arrow.ticket

The text in the picture is a password of some sort, lets use CyberChef to decode it.

After analyzing a bit I got to know it was a base58 cipher.

cyberchef

So now we have another interesting string !#th3h00d.

Remember that ports 21 and 22 are open? Maybe vigilante and !#th3h00d are the credentials!

It doesn’t work on SSH but it worked on FTP.

FTP loggin

Here I can see 4 files I need to get: The 2 PNGs, the one JPG, and the last file was the “.other user” file. I downloaded all of them using “mget *”. This should download all the files to your local directory.

FTP logged in

Reading the “.other user”, I came across this:

other user command

Here I can see various names, which could be potential usernames and/or passwords. One main name was “Slade” was what stuck out to me.

But then I moved on to analyze the images that I downloaded on my local machine. The first image, Leave_me_alone.png looks corrupted.

the jpeg found in ftp

Examining the hex values of the image, we’ll see that it doesn’t follow the typical starting bytes of a png image.

magic bytes

Now we could easily repair this by adding the png magic bytes at the beginning. If you have no idea about what magic bytes are you can check this.

Going over to Wikipedia, we can see a list of file signature for each file type.

Fire up your preferred hex editor and let’s fix this image.

changed magic bytes

Now after saving this image we will open the image.

corrected image

Now we have a password but it does not look like the ssh one as I tried using it there. We have another image named aa.jpg. So we will try to extract information with Steghide with the password mentioned.

steghide --extract -sf a.jpg  -p password
steghide command

Steghide revealed two files passwd.txt and shado, viewing both the files.

small note
                                                        passwd.txt

And shadow.txt contained the word M3tahuman.

I then entered the username, Slade, with password M3tahuman on the ssh and got into the box.

got into the box

Once I got into the box I simply did find command to find the user.txt flag and submitted it on Tryhackme.

searching for flags

I then had to upgrade my privileges to root. To do this I ran “sudo -l”. This command lets you know what commands our user can do as the root user.

escalating priveleges

Here it can be seen that the command I can run as root is “pkexec”. I then went to https://gtfobins.github.io/ in order to find out how I can use this command to get to root.

I found a command on GTFO bins to get me the root.

sudo pkexec/bin/bash
GTFO bins

Reading the root.txt file, I saw the last flag and was able to complete the box!. For more writeups like this you can click here.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *