Lian_Yu — A beginner level security challenge Walkthrough — TryHackMe
Dear friends, let us solve challenges in the Lian_Yu box present in the below link.
- Reconnaissance (Information Gathering)
The target IP address is provided when the machine is deployed.
Note: You can see different IPS as I did the challenges on 4 different timings. Every time we start the THM machine, the IP changes.
Attack Target: 10.10.195.13 / 10.10.110.213 / 10.10.251.249 / 10.10.144.162
Methodologies and tools used:
Port scanning (nmap)
Directory fuzzing (gobuster)
Decoding (decode.fr)
Steganography (hexedit,steghide, stegcracker)
Sudo privilege spawning
2. Scanning
As always, we start with nmap to scan for open ports and services on the target
nmap -sC -sV -vv -A -O 10.10.195.13
From this we can see the following ports and services:
port 21/tcp — FTP — (vsftpd 3.0.2)
port 22/tcp — SSH — (OpenSSH 6.7p1)
port 80/tcp — HTTP — (Apache httpd)
port 111/tcp — RPC — (rpcbind)
After visiting the webserver on port 80, I am presented with this page:
3. Enumeration
Taking a look at the HTTP service, we see the following:
a) Running gobuster against the target:
gobuster dir — url 10.10.195.13 — wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
b) This finds a directory: /island
c) If you don’t get any clue, then dig deeper, view the source code of this webpage.
d) I thought we could get some code or clue for the next step, but instead, I got some hint (vigilante) which might help me later. Again I performed a directory brute force scan with /island directory to see what’s available. I used the following command:
gobuster dir -u http://10.10.195.13/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
e) We get the many subfolders, trying manually these and found one useful. I can't find anything. Let’s try harder, guys, to view the source code of the above webpage.
http://10.10.195.13/island/2100
d) View the source code of the page
e) This suggests to me there is a file with a .ticket extension, so I ran FFUF this time to identify this hidden file. FFUF is a fast web fuzzer written in the Go language. Allows fuzzing HTTP header values, POST data, and different URLs, including GET parameter names and values. The command I used is,
ffuf -u http:// 10.10.110.213/island/2100/FUZZ.ticket -w /usr/share/dirbuster/wordlists/directorylist-2.3-medium.txt
f) This time, the scan result we found /green_arrow directory with status: 200 which is a good sign, and we are right back on track.
http:// 10.10.110.213/island/2100/green_arrow.ticket
g) I tried this as the password, but it didn't work, and I tried to decode and Bruteforce many schemes. Decode it by searching for an online decoder on Google & you will get the password. As we saw earlier in our nmap scan that we had PORT 21 open. So let’s try logging in to FTP using this password.
I try and log in to FTP with the username Gambit, but I am unsuccessful. I try the code word I found earlier, and it now prompts for a password, I try the random string, but I am denied — maybe it’s encoded.
I open up dcode.fr, and I try multiple notations for decoding. After a few attempts, I try Base58, and I get an interesting output:
4. Gaining Access
a) Now we have the username and password, we can log in to the FTP service and list all files within the current directory. We can also go up a directory to reveal another potential username. Enter the Username (The secret code you found earlier) & Password to log in.
ftp 10.10.110.213
username (found in site) : vigilante
Password ( decoded from base58) : !#th3h00d
use the get command to download the files into your local system and check it.
get .bash_history
get .bash_logout
get .bashrc
get .other_user
get .profile
get Leave_me_alone.png
get Queen’s_Gambit.png
get aa.jpg
b) I found the required information from 4 files .other_user, Leave_me_alone.png, Queen’s_Gambit.png, aa.jpg. Assuming slade wilson is one more username.
e) Viewing these files locally does not reveal much at this time. However, when opening in terminal ‘ file Leave_me_alone.png,’ the following message is returned: Leave_me_alone.png: data. I can't open the file. Thus, the thinking file is damaged tried to run hexedit.
f) HexEdit can be used to check and edit the magic header of this file. If you do not already have this installed in Kali, then run:
apt-get install hexedit
We can then compare the header in the ‘Queen’s_Gambit.png’ file against the header in the corrupted file ‘Leave_me_alone.png’:
hexedit Leave_me_alone.png
hexedit Queen\’s_Gambit.png
I check the first few bytes, also known as magic bytes or the file signature, to try and determine what this file is:
xxd Leave_me_alone.png | head -n 1
From experience, I know that this isn’t the file signature for a png. Going to the hyperlink above, I find that the signature for a png is 89 50 4E 47 0D 0A 1A 0A.
I change the 6 bytes of Leave_me_alone.png to a Queens_Gambit.png with hexedit from 58 45 6F AE 0A 0D 1A 0A to the 89 50 4E 47 0D 0A 1A 0A.
hexedit Leave_me_alone.png
Save the changes using Ctrl+X.
When opening in terminal ‘ file Leave_me_alone.png,’ the following message is returned: Leave_me_alone.png: PNG image data, 845 x 475, 8-bit/color RGBA, non-interlace
The Leave_me_alone.png image is also restored now.
Uhhhh, finally we opened the image for any clue and got the password as password :)
5. Steganography
Before continuing, I must tell you that Steganography is an extensive topic & has a lot of tools & every tool has its own different, specific use. We need to do a trial & error method to find hidden content. You can do Steganography rooms on TryHackMe to learn about this.
I have used steghide and stegcracker tools to extract the details from the image file. At this point, I recalled the CTF mentioned steganography — the practice of concealing a file/image, etc., within another file/image, etc.
a) Using steghide and stegcracker, we can try and extract hidden data from the other image files we downloaded:
apt-get install stegcracker (if you don’t already have this installed)
stegcracker aa.jpg /usr/share/wordlists/rockyou.txt
We have already got the password as a password.
b) Now, let's try steghide. The passphrase is the password.
apt-get install steghide (if you don’t already have this installed)
steghide — extract -sf aa.jpg
c) ss.zip file is downloaded. Now to unzip, use the below command:
unzip ss.zip
d) Now, 2 files are extracted, let us see its contents of passwd file
cat passwd.txt
Some content is there, but I think so. As mentioned, this content is a booby trap.
e) Now, let us open one more file, shado.
cat shado
Wow, it has some code. Let us try to use it. If it doesn't work, you have to try to decode it and see it.
M3tahuman is contents of shado.
f) Viewing the contents of the shado file gives us an SSH password. Thinking back to earlier, there are usernames (vigilante, Lian_Yu, slade wilson, slade, wilson) we can use to try and login via SSH
Using the trial and error method, I found out that the username was slade in the .other_user file.
ssh slade@10.10.144.162
M3tahuman
g) Let use see slade contents
ls
cat user.txt
It has user.txt, wow got user flag THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N’T}
h) Now, it's time to get the root flag. Let's do Privilege Escalation. Type “sudo -l” to see if we can run any command with root privileges. The first priv esc technique is to see if I can run any commands as sudo:
sudo -l
i) There is a hint. It looks like we can run pkexec with root privileges. Therefore, we will run the/bin/sh program as root & get the root access. The pkexec allows users to execute commands as other users, and in this case, I can execute them as root. We can take advantage of this to spawn a root shell, then grab the contents of the root.txt file to complete this CTF.
Enter the command: sudo pkexec /bin/sh
ls
cat root.txt
Hurray, I finally got the root flag.
THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}
Done!!!!!! Let us see the answers to the challenge questions now.
What is the Web Directory you found?
2100
what is the file name you found?
green_arrow.ticket
what is the FTP Password?
!#th3h00d
what is the file name with SSH password?
shado
user.txt
THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N’T}
root.txt
THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I’LL_BE_D34D}
Thank you very much for reading. I hope you find this is useful, and if there is something you would like to add or any suggestions, you can contact me anytime.
Happy Hacking!