Lian_yu : THM Writeup

A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.

TRY HACK ME LINK:

Basic Checks to be performed before attacking the machine.

1.Power on the Target Machine and make a note of the IP address.

2.Start your Kali Virtual Machine.

3.Connect to TRY HACK ME OPEN VPN

# OPEN VPN COMMAND

4.Check connectivity to the target machine from attacker pc (Kali VM).

# Input the target machine IP address.

NMAP (NETWORK MAP) -Enumeration

Process of extracting machine names, network resources , shares , services from a system.

NMAP scan is the first step I use to scan the target machine most of the time. With -A enables OS detection , Version detection , Script Scanning , -sV probes open ports with service and version info. Use -vv to increase verbosity level.

# Input the target machine IP address

Discovered Open Ports :

# NMAP Output on Open Ports

Target Machine OS Detection

# Operating System Information

I tried to open up the FTP Port (21) and found that it was locked. So I open the website which is basically a starting point for a Pentester. I found nothing useful in the website and the view page source information also did not reveal anything significant.

With not much of information available, I decided to enumerate the machine using the tool “GOBUSTER” and with medium wordlists to accurate directory listing. I also used -x flag to for some specific extension and threads (-t) 60 to speed up the scanning. With no threads used , the scanning can be very slow.

# gobuster command

After the scan got over , there was an interesting directory /island. I found something very interesting when I browsed <Machine IP>/island. You can find that something is missing after the Code Word and probably is hidden. As a standard practice I always view the page source code to find something interesting.

I found something very interesting and was not sure of the purpose. I made a note of it and kept it aside.

# View Page Source Information

The first question was , what was the web directory you found and the hint was it was supposed to be in numbers. So I tried to check for any subdomains and gobuster did not reveal anything. So I started enumerating more on the directory /island using gobuster and interesting it threw up another directory “/2100” which was the answer for the first question.

I went to <Machine IP>/island/2100 and there was some you tube. As a standard Pentester , I always check the source code to see if something interesting is available. I found something with an extension .ticket and decided to enumerate more to get more information for the second question “What is the File Name You Found”?

# gobuster with extension -x .ticket

I got a specific extension green_arrow.ticket which is available in the /2100 directory. I browsed <Machine IP>/island/2100/green_arrow.ticket and found some random alpha numeric characters. I generally turn to google for help or use CyberChef — The Cyber Swiss Army Knife (0x1.gitlab.io)

# token of green_arrow ticket

I highlighted the code and searched in google if it throws up anything. Looks like Base58 decoder . We got something that seems to be a password.

The next question was what is the FTP password. I was not sure that it was the FTP password. From the previous enumeration we found something very interesting “ The Code Word is: ……..” . Now at-least we have an username and password to login using FTP.

From NMAP scan FTP (21) was an open port and I tried to login using the credentials and password and vice versa which ever worked. It is just trial and error work as I did not come across any usernames when i used enum4linux earlier as part of the enumeration scan.

I logged into the target machine using ftp <Machine IP>. I supplied the username and the password. So Now I know the FTP password which I answered the question “What is the FTP Password”.

I generally check what directories are available and also use ls -lsa to see if additional hidden files are available. The Directory command (dir.) listed three images and ls -lsa listed few hidden files/directory as shown. I have highlighted what i felt it was important. As a matter of fact I check all , note down which folders or files I have access or no access permitted.

Use the FTP “mget” command to copy the files from the target machine to your attacker machine.

# mget command

You have copied the images and the “.other_user”. The first thing what comes to my mind with images, is something hidden with the image like password or some encoded code which could be decoded to gain access. When you try to extract the hidden information using the tool “steghide”, it will ask for a passphrase. To get the passphrase , use “stegcracker” with an wordlist to reveal the passphrase. Let us try for all the three images what we transferred from the target machine and also look into what is there in .other_user.

# cat .other_user

The “other_user” reveals nothing however make a note of all the names. In penetrating testing even the smallest information can be valuable. I always highlight rather going through the text again.

Let us open the images and the images are from the arrow series. Nothing useful however let us try using steghide for all those three (3) images and check if it reveals anything. It is asking for a passphrase. Let us try stegcracker and rock_you wordlist. stegcracker will support only the following formats jpg, jpeg, bmp, wav, au. Let us change the extension from “png” to “jpg”. Follow the steps for all the images.

# steghide command
# stegcracker

Let us run stegcracker in parallel for all the images. For aa.jpg , got an passphrase.

# stegcracker

something has been written to aa.jpg.out which you need to extract. Once you extract , you can find two files in the folder. One is called “shado” and another is called “password”. We got something in shado. Let us now check what steghide reveals after supplying the passphrase password.

# Read the contents of both the files.

The steghide writes to a file “ss.zip”. Let us extract and see what is in it. It is the same content what we got in the aa.jpg.out_Files.

We got answer to the file name with SSH password : “shado”. we know the password but not the username. Remember the “.other_user” , it contained few names and one of them could be a username. It is a trial and error method. Try out all usernames (possible combination) and I was able to ssh into the system using “slade’ as username and password what we got from “shado file”.

# ssh into <Target Machine>

Execute the command as show and you will be able to retrieve the flag.

# User.txt Flag.

Try the command “ls -lsa” you can find a hidden “.Important” and I tried to read the contents of it. Just tells us to gain root privileges.

To gain root access , I have access to the machine and I could transfer LINEPEASE exploit to check all known vulnerabilities to gain root access. However before attempting basically I try to run the command “sudo -l” to check if something interesting is displayed in the screen. There are other commands that can also be executed however the basic command “sudo -l” is what was taught to me as part of the course @ HackerU.

# Reveals that slade can run commands

The next important thing what was taught to me @ HackerU is refer GTFOBINS for any commands that could help to gain root access. In GTFOBINS type “pkexec” in the search bar and immediately shows the following command can be used to gain root access.

Let us try to execute the command and check what happens. Viola !!! I got root access and generally I steady the shell using the following command

python3 -c ‘import pty;pty.spawn(“/bin/sh”)’

export TERM=xterm-256-color

Root Access

type “id” and I am root. Now I will try to retrieve the root flag which is the last question to answer as part of the task.

I learnt new things which i was not aware. Overall the box was great and it takes lot of practice to remember what steps could be used to exploit the target machine.