Room link : https://tryhackme.com/room/lianyu
nmap -sC -sV 10.10.228.22
Ports found ---
port 21/tcp - FTP - (vsftpd 3.0.2)
port 22/tcp - SSH - (OpenSSH 6.7p1)
port 80/tcp - HTTP - (Apache httpd)
port 111/tcp - RPC - (rpcbind)
Visit the IP
Now run gobuster for hidden Directories.
gobuster dir -u http://10.10.228.22/ -w/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Found a directory : /island
Now go to the browser and serarch http://10.10.228.22/island
Found out the Code Word by highlighting the page text or viewing the page source.
Code Word - 'vigilante' - (this is our FTP username)
Again run gobuster on /island directory to discover a different directory.
gobuster dir -u http://10.10.228.22/island -w/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Here we found another directory : /2100 -- (What is the Web Directory you found?)
Now doing the same again go to the browser and serarch http://10.10.228.22/island/2100
View the page source --
Here it says there is a file with a '.ticket' extension.
Now again run gobuster to look for files with a '.ticket' extension.
gobuster dir --url 10.10.228.22/island/2100 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
Found another director : /green_arrow.ticket -- (what is the file name you found?)
Again going to the browser search http://10.10.228.22/island/2100/green_arrow.ticket.
Seems we found an encryption : 'RTy8yhBQdscX' . So now lets try to decode it ---
Go to https://gchq.github.io/CyberChef/
Use 'FromBase58' to decode it.
Seems like we have cracked it : '!#th3h00d' - This is the FTP Password. -- (what is the FTP Password?)
Now as we have the username and passowrd ---
Username - vigilante
password - !#th3h00d
We can log in to the FTP service -
We got two users: 'vigilante' and 'slade' .
Also found 3 image files in the server. Download them in you system --- Follow the down commands to download the files --
Now view the image files and we see that 'Leave.me.alone.png' is not opening.
Also the exiftool shows 'File Format error'
Checking the header file of the image we found that it is actually wrong there.
The correct header -- https://en.wikipedia.org/wiki/Portable_Network_Graphics
Now lets change it --
Now you can open the image file Here you got a password : 'password'
Now lets use steghide to extract any hidden files within the other image files.
steghide extract -sf aa.jpg
Now using the password 'password' we got earlier successfully extracted the .jpg file to a ss.zip file.
We found a a 'passwd.txt' and a 'shado file' unzipping the ss.zip file.
Now cat 'shado' file and you get a password : 'M3tahuman' -- (ssh password) --- (what is the file name with SSH password?)
Now as we have got the ssh password we can now login --
User - slade
password - M3tahuman
Now that you're logged in search the user.txt flag --
slade@LianYu:~$ ls
user.txt
user.txt - 'THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}'
To find which commands we can run with root privileges we can run: ---
sudo -l
After running sudo -l , it will again ask for slade password -- use the same password - 'M3tahuman'.
Now You see it says we can run the 'pkexec' with root privileges ---- So now we can run run '/bin/sh' program as root & get the root access.
sudo pkexec /bin/sh
root.txt - 'THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}'
Submit the flags
What is pkexec vulnerability ?
-- A vulnerability (CVE-2021-4034) in Polkit's pkexec has been weaponized in the wild. This vulnerability is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. Red Hat is aware of a vulnerability found in pkexec that allows an authenticated user to perform a privilege escalation attack.
I hope this was helpful.
thanks.
Answer the questions below
Deploy the VM and Start the Enumeration.
--No answer needed
What is the Web Directory you found?
-- 2100
what is the file name you found?
--green_arrow.ticket
what is the FTP Password?
--!#th3h00d
what is the file name with SSH password?
--shado
user.txt
--THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}
root.txt
--THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}