CTF-Writeups/TryHackMe/LianYUCTF.md

136 lines
3.7 KiB
Markdown
Raw Normal View History

2020-10-05 13:57:57 +00:00
# TryHackMe-Lian_YU CTF
Abdullah Rizwan , 1 spetember , 12:09 PM
## NMAP
```
export IP=10.10.209.95
```
```
nmap -sC -sV $IP
```
```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 12:09 EDT
Nmap scan report for 10.10.209.95
Host is up (0.18s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37515/tcp status
| 100024 1 40883/udp status
| 100024 1 45950/tcp6 status
|_ 100024 1 59637/udp6 status
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```
<img src = "https://i.imgur.com/rF974M7.png" />
There wasn't anything useful on the web page but when I did directory force I found some interesting directories.
## Dirbuster
<img src = "https://i.imgur.com/pBVxwCR.png"/>
When we visit that page we see nothing but text but if we select all the text or look at the source we can find the code word `vigilante`.
<img src = "https://i.imgur.com/pBVxwCR.png"/>
<img src = "https://i.imgur.com/GADOifV.png"/>
Then continuing directory brute force i was able to find `/island/2100` directory
<img src ="https://i.imgur.com/FSxzDVf.png"/>
<img src = "https://i.imgur.com/k7KMl73.png"/>
Now it's giving us a hint that there is a `.ticket` file so we can again do directory busting but this time I'll use `gobuster`
## Gobuster
<img src ="https://i.imgur.com/amDxyjb.png"/>
<img src ="https://i.imgur.com/ui60A9L.png"/>
we can see an encoded message `RTy8yhBQdscX` also a name `Gambit`.
By searching this encoded text on google we will come up with the result telling us that this is base58 encoded
<img src="https://i.imgur.com/sCaR5pV.png"/>
## FTP
We logged in to ftp with user name `vigilante` and password `!#th3h00d`.
<img src="https://i.imgur.com/0tXp8su.png"/>
<img src="https://i.imgur.com/ecnlNV3.png"/>
Here we can find 3 images.
<img src="https://i.imgur.com/nZarsYG.png"/>
on looking at `Leave_Me_Alone.png` it gives us an error.
<img src="https://i.imgur.com/YifTluj.png"/>
<img src="https://i.imgur.com/rJAT3rD.png"/>
Here the header of png file is incorrect. Change the header of the image by using `hexedit`.
Then press `ctrl+x` to save.
<img src="https://i.imgur.com/48Xl2Tx.png"/>
Now the file format is correct and now let's the image.
<img src="https://i.imgur.com/0JJfqFW.png"/>
<img src="https://i.imgur.com/xlTOwHc.png"/>
<img src="https://i.imgur.com/AgmzlEm.png"/>
We can also find another user named `slade` so that `Password` can be of that user.
<img src="https://i.imgur.com/zZntQfC.png"/>
I tried to use `stegcracker` to view if there was any fild hidden with any of the images.
<img src="https://i.imgur.com/1jOV6SY.png"/>
I got two text files from `aa.png`.
<img src="https://i.imgur.com/1eescpT.png"/>
And we logged in with `slade` with the password from `shado` file.
## Privilege Escalation
<img src="https://i.imgur.com/lq2kLzB.png"/>
<img src="https://i.imgur.com/Y0pWC0X.png"/>
We got root
<img src="https://i.imgur.com/4o0I9ow.png"/>