THM Writeup: Lian Yu CTF
Setup your VPN to tryhackme VPN and startup the target machine and let’s get started.
Scanned the target IP with Nmap and found 4 open ports.
Now that we have found port 80 open we know that there is a web server running.
Now to scan for any directories on the webserver. I used gobuster with the wordlist of common.txt (Dirb default wordlist).
I couldn’t find much useful info. So I used another wordlist (dirbuster directory-list-2.3-medium.txt).
So I opened the directory found this.
I viewed the source code and found that something is hidden in white text. Looks like some sought of username.
Meanwhile, I continued the gobuster scan against the /island directory.
and found another directory of a 4 digit number. Here’s how it looked.
Don’t forget to view the source code
If we take a look at the hints of flag 3 you’ll need a 6 digit extension.
Now to brute force with gobuster by specifying the extension type in our case the extension called .ticket
Found it !!!
If you take a look at the hints for challenge #4 then you’ll find this.
CyberChef is a web app for encryption, encoding, compression, and used to do data analysis.
The piece of text we found earlier “RTy8yhBQdscX” was a base58 encoded string. So I decoded it and found the solution for challenge #4.
I successfully logged in to the target server with the credentials I found.
Found 3 image files and some other interesting files as well. So let’s download them to our local machine to do further analysis.
I went through each file one after another to find any interesting things. I tried to go through .other_user with the intention of finding another user in addition to the FTP username I found earlier. So I cat out of the .other_user file and I found the story of Slade Wilson it might be a username so I ignored it for the time being.
Then I found that there was an error when trying to open the Leave_me_alone.png image file.
So I tried to search for the file type of Leave_me_alone.png. I can easily use the “file” command for this purpose.
Looks like the png image file is a data file, Which means that this file contains encoded/unprintable characters. I also tried to get what is the file signature of this file aka the file magic number. To find the magic number of a file I simply used “xxd” command to get the hex dump of the file and piped it to the “head” command to view only the top portion of the output.
I found out that the magic number of the current file is not matching to the magic number of a normal png file which looks like this.
(Got from https://en.wikipedia.org/wiki/List_of_file_signatures)
I use the default kali hex-editor CLI tool to edit the hex values of the corrupted png file
hex-editor Leave_me_alone.png .
when I looked at the file type and now it shows the correct file type.
Perfect… Now l to view the png file and I got this
Steghide is a tool used to embed or extract hidden data to/from an image. When I tried to extract data from aa.jpg it prompted for a password entry so I ignore it for the moment. But now hopefully I found the password from the Leave_me_alone.png image I can extract the data from the aa.jpg image and I Manged to extract a zip file there were 2 files.
I found the ssh password
Now that I was having 2 usernames and 1 password it’s time to test them out by logging into the system with ssh. Hopefully, one username worked.
Now to find the user flag
Awesome user flag Found !!!
I also found a file called. Important and I read it.
It says something about a file called Secret_Mission. So let’s find it. I navigated to the root directory and used the “locate” command to search for any file named Secret_Mission.
“superpowers do you need just go find it” Surprisingly reminded me of “sudo” command.
This says that user slade can execute /usr/bin/pkexec program with root privileges without entering the root password. I read the man page of pkexec program (man /usr/bin/pkexec).
This program helps to execute commands as another user in our case root user. So let’s do it. I executed the program as the root user and then entered the command for the pkexec program to execute in my case I wanted to run /bin/bash as root which gives me a shell with root privileges.
Got the root flag finally …
If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.