THM Lian_Yu
Introduction
Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.
Normally I keep notes in Cherrytree. I’m going to try doing notes directly into Joplin as I work instead for this.
nmap
Results
Ports 21 (FTP), 22 (SSH), 80 (Webserver), 111 (unknown), 54272 (unknown). Google says Port 111 is probably RCP. We’ll get nmap to see if it knows.
Port 111
nmap says it’s rpcbind. Not sure if it’s important yet. Port 54272 also appears to be related to RPC.
I don’t think this is relevant.
FTP
Anonymous login not permitted.
nmap says:
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.2
Searchsploit doesn’t list a vulnerability for this version, so presumably we’re going to need some credentials.
Webserver
Page title is Purgatory, and there is some content about the TV Series Arrow that doesn’t immediately appear relevant. No robots.txt. Server home is index.html, index.php is 404 so possibly not running PHP on the server. The 404 doesn’t leak any information about which server is running.
Changing the HTTP version and host header field in Burp Repeater didn’t do anything.
Gobuster
Try a gobuster with a basic wordlist:
This didn’t turn up anything useful, so we’ll try again with a bigger wordlist (directory-list-lowercase-2.3-small.txt).
Gobuster turned up a page called ‘island’ with the following content: Ohhh Noo, Don’t Talk…………… I wasn’t Expecting You at this Moment. I will meet you there You should find a way to Lian_Yu as we are planed. The Code Word is: vigilante
Vigilante was written in a white font on the white background so it wasn’t readily visible.
Custom wordlist 1
Since ‘island’ was a term on the index.html page, I ran cewl to generate a list of words from that page to run against gobuster:
But it didn’t find anything other than island.
Custom wordlist 2
I went to the Arrow Season 1 wikipedia page and copied all the text to a file and then manipulated it so I had one word per line. Then I removed the duplicates and punctuation (note I rm’d the original custom.txt after the first command here):
But it didn’t find anything new either.
More fuzzing
Since I’m not getting anywhere with that, let’s try fuzzing inside island:
Success: http://10.10.156.179/island/2100/
There is a hint in the page source: you can avail your .ticket here but how?
This turned up: http://10.10.62.128/island/2100/green_arrow.ticket Which contained: This is just a token to get into Queen’s Gambit(Ship) RTy8yhBQdscX
This looks like base64, but it’s actually base58. And it decodes to !#th3h00d, which we can use for the FTP service.
FTP Again
The credentials we’ve gathered are ‘vigilante:!#th3h00d’, which gives us access to three images, so probably stego.
Poking around in the FTP directory we can go up a level and find there is another user called ‘slade’.
Stego/SSH
I hate stego. I threw stegcracker at aa.jpg and it cracked with ‘password’ and I got a file with the word ‘M3tahuman’ in it; as it turns out this is the SSH password for slade.
Privesc
Very straightforward: