Note: I've somewhat hidden spoilers (actual flags or passwords), replacing them with *
Enumeration
Scan with nmap
kali@kali:~/ctf/thm/lian_yu$ nmap -sV 10.10.63.57
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-19 10:15 UTC
Nmap scan report for 10.10.63.57
Host is up (0.16s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
80/tcp open http Apache httpd
111/tcp open rpcbind 2-4 (RPC #100000)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.73 seconds
Scan with nikto
I ran a scan with nikto, but it didn't really point out anything we couldn't deduce from the other methods. Gobuster was going to prove to be more useful.
kali@kali:~/ctf/thm/lian_yu$ nikto -host http://10.10.28.130
- Nikto v2.1.6---------------------------------------------------------------------------
+ Target IP: 10.10.28.130
+ Target Hostname: 10.10.28.130
+ Target Port: 80
+ Start Time: 2020-09-20 10:14:45 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 9ca, size: 5a47e9947b000, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7889 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2020-09-20 10:52:28 (GMT0) (2263 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Scan with Gobuster
kali@kali:~/ctf/thm/lian_yu$ gobuster dir --url http://10.10.28.130 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.28.130
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/20 10:37:00 Starting gobuster
===============================================================
/****** (Status: 301)
/******-****** (Status: 403)
Gobuster finds a directory named ******, which shows a page with some "hidden" text. But unfortunately, that's not the name of the directory the challenge is looking for. Well, what about directories under that directory? If we run gobuster again with that new url, we find what we're looking for. I probably could have saved myself some time by telling gobuster to follow redirects with the -r option.
After further directory scanning, I decided I'd found what I could with that methodology. The source of the page we managed to find with a nice intro video from the show in which the main character is introduced has an interesting reference to .ticket:
<!DOCTYPE html>
<html>
<body>
<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>
<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how? -->
</header>
</body>
</html>
I wonder what that's all about? There is no mention of a ticket in the video, nor any direct reference to how Ollie found his way to the island of Lian Yu.
Quickly check anonymous FTP
kali@kali:~$ ftp 10.10.63.57
Connected to 10.10.63.57.
220 (vsFTPd 3.0.2)
Name (10.10.63.57:kali): anonymous
530 Permission denied.
Login failed.
ftp>
Oh well, it was worth a shot.
3 days later
I had to cheat here and peek at another writeup. It turns out the secret is in the same wordlist I had been using with gobuster before for finding directories. I should have just stuck with what was working for all the other brute forcing.
/******/****/*****_*****.ticket
This is just a token to get into Queen's Gambit(Ship)
************
BASE-58 Decode
Yep, base 58. Never would have guessed it. That gives us the ftp password.
Ok, at least from here on out I could figure out the steps. I think I was suffering from brute force fatigue. I really find the brute forcing to be not so fun, but it definitely works on this challenge.
FTP
kali@kali:~/ctf/thm/lian_yu$ ftp 10.10.212.194
Connected to 10.10.212.194.
220 (vsFTPd 3.0.2)
Name (10.10.212.194:kali): *********
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 May 05 11:10 .
drwxr-xr-x 4 0 0 4096 May 01 05:38 ..
-rw------- 1 1001 1001 44 May 01 07:13 .bash_history
-rw-r--r-- 1 1001 1001 220 May 01 05:38 .bash_logout
-rw-r--r-- 1 1001 1001 3515 May 01 05:38 .bashrc
-rw-r--r-- 1 0 0 2483 May 01 07:07 .other_user
-rw-r--r-- 1 1001 1001 675 May 01 05:38 .profile
-rw-r--r-- 1 0 0 511720 May 01 03:26 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 11:10 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 03:25 aa.jpg
226 Directory send OK.
ftp> cd slade
550 Failed to change directory.
.bash_history:
Sorry I couldn't Help Other user Might help
.other_user:
Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he had been promoted to the rank of major. In the early
1960s, he met Captain Adeline Kane, who was tasked with training young soldiers in new fighting techniques in anticipation of brewing troubles taking place in Vietnam. Kane was amazed at how skilled Slade was and how quickly he adapte
d to modern conventions of warfare. She immediately fell in love with him and realized that he was without a doubt the most able-bodied combatant that she had ever encountered. She offered to privately train Slade in guerrilla warfare.
In less than a year, Slade mastered every fighting form presented to him and was soon promoted to the rank of lieutenant colonel. Six months later, Adeline and he were married and she became pregnant with their first child. The war in
Vietnam began to escalate and Slade was shipped overseas. In the war, his unit massacred a village, an event which sickened him. He was also rescued by SAS member Wintergreen, to whom he would later return the favor.
Chosen for a secret experiment, the Army imbued him with enhanced physical powers in an attempt to create metahuman super-soldiers for the U.S. military. Deathstroke became a mercenary soon after the experiment when he defied orders an
d rescued his friend Wintergreen, who had been sent on a suicide mission by a commanding officer with a grudge.[7] However, Slade kept this career secret from his family, even though his wife was an expert military combat instructor.
A criminal named the Jackal took his younger son Joseph Wilson hostage to force Slade to divulge the name of a client who had hired him as an assassin. Slade refused, claiming it was against his personal honor code. He attacked and kil
led the kidnappers at the rendezvous. Unfortunately, Joseph's throat was slashed by one of the criminals before Slade could prevent it, destroying Joseph's vocal cords and rendering him mute.
After taking Joseph to the hospital, Adeline was enraged at his endangerment of her son and tried to kill Slade by shooting him, but only managed to destroy his right eye. Afterwards, his confidence in his physical abilities was such t
hat he made no secret of his impaired vision, marked by his mask which has a black, featureless half covering his lost right eye. Without his mask, Slade wears an eyepatch to cover his eye.
One of the image files is malformed, Leave_me_alone.png doesn't start with the correct PNG header format. Fixing that makes the image displayable. It contains a password for extracting a zip file in aa.jpg
Extract with steghide
Run steghide on aa.jpg and retrieve a zip file containing a file with another password. This is the password for the slade account, so now we can ssh in as that user.
SSH
Once logged in via ssh, that also means we can easily transfer files. scp linpeas over to the box and let it see what it finds.
While scrolling through the output from that the word "secret" caught my eye in files that are readable. It turns out there is also a hint to look for Secret_Mission in the .bash_histoty for the slade user.
slade@LianYu:~$ cat /***/***/S*****_M******
Why do we need Mirakuru?
Enhancements to strength, senses, stamina and endurance in particular were raised beyond human capability, while reflexes and agility where raised only to the peak of human capability. Primarily, the serum resulted in the subject developing an accelerated healing factor that allowed them to recover completely from the most crippling, debilitating, and grievous of wounds, so long as any injuries were not immediately fatal or if an entire body part or organ were not lost; for example, the drug didn't keep Isabel Rochev from dying when her neck was snapped by Nyssa. Slade Wilson was also unable to regenerate his eye after it was pierced with an arrow, however this may be due to the arrow being left in his eye while the Mirakuru in his system became dormant.
super powers do you need just go find it.
"Super powers" eh? Well, sudo, su, and the root user come to mind. Can we run anything with sudo? To find out we can use the -l (for list) option:
-l, --list If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this
option is specified multiple times and the security policy supports a verbose output format.
If a command is specified and is permitted by the security policy, the fully-qualified path to the command is displayed along with any command line arguments. If a command is specified but not
allowed by the policy, sudo will exit with a status value of 1.
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
So we can run pkexec? Well that's easy enough:
slade@LianYu:~$ sudo pkexec cat /root/root.txt
Mission accomplished
You are injected me with Mirakuru:) ---> Now slade Will become DEATHSTROKE.
THM{**_****_**_**_****_**_*_******_****_********_****_**_****_**_*********_**_*'**_**_****}
--DEATHSTROKE
Let me know your comments about this machine :)
I will be available @twitter @User6825