CTF-Writeups/TryHackMe/LianYUCTF.md
2020-10-05 18:57:57 +05:00

3.7 KiB

TryHackMe-Lian_YU CTF

Abdullah Rizwan , 1 spetember , 12:09 PM

NMAP

export IP=10.10.209.95
nmap -sC -sV $IP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-01 12:09 EDT
Nmap scan report for 10.10.209.95
Host is up (0.18s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.2
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
|   1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
|   2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
|   256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_  256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37515/tcp   status
|   100024  1          40883/udp   status
|   100024  1          45950/tcp6  status
|_  100024  1          59637/udp6  status
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There wasn't anything useful on the web page but when I did directory force I found some interesting directories.

Dirbuster

When we visit that page we see nothing but text but if we select all the text or look at the source we can find the code word vigilante.

Then continuing directory brute force i was able to find /island/2100 directory

Now it's giving us a hint that there is a .ticket file so we can again do directory busting but this time I'll use gobuster

Gobuster

we can see an encoded message RTy8yhBQdscX also a name Gambit.

By searching this encoded text on google we will come up with the result telling us that this is base58 encoded

FTP

We logged in to ftp with user name vigilante and password !#th3h00d.

Here we can find 3 images.

on looking at Leave_Me_Alone.png it gives us an error.

Here the header of png file is incorrect. Change the header of the image by using hexedit. Then press ctrl+x to save.

Now the file format is correct and now let's the image.

We can also find another user named slade so that Password can be of that user.

I tried to use stegcracker to view if there was any fild hidden with any of the images.

I got two text files from aa.png.

And we logged in with slade with the password from shado file.

Privilege Escalation

We got root