Reconnaissance
Fire up NMAP and let’s see the open ports on this machine
Port 80 is open and running so let’s look at the webpage first. Looks like the creator of this CTF challenge is a huge Arrow fan!
Checking the page source, there seems to be no hidden comments nor other interesting information that we can use so let’s move to enumeration.
Looks like we have two notable directories; /island and /island/2100.
Let’s see /island first
The message looks incomplete. Maybe we can see the complete text in the page source?
So the hidden word is vigilante. Actually, now knowing that they just used a white font color to hide the text, we can make it appear just by highlighting the page.
Now let’s check /island/2100
As you can see, highlighting didn’t reveal any hidden texts so let’s check the page source again
.ticket huh? Maybe, a file is hidden somewhere in this directory with a .ticket extension.
Going to http://10.10.155.102/island/2100/green_arrow.ticket we’ll see this
I really have no idea what that means. If it’s a substitution cipher, it’s hard to determine the plaintext because of the length. For this one we could use CyberChef to help us out.
It turns out that it’s Base58 encoded. So now we have another interesting string !#th3h00d
How did I know that it’s Base58? Trial and error. Is it a massive waste of time? Very much so, yes.
Remember that ports 21 and 22 are open? Maybe vigilante and !#th3h00d are the credentials!
It doesn’t work on SSH but it worked on FTP.
The first image, Leave_me_alone.png looks corrupted
Examining the hex values of the image, we’ll see that it doesn’t follow the typical starting bytes of a png image.
Before we proceed, you should know about magic bytes. Magic bytes essentially refers to “a block of arcane byte values used to designate a file type in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format”.
You can check this and this for additional information.
Going over to Wikipedia, we can see a list of file signature for each file type.
Fire up your preferred hex editor and let’s fix this image
See the difference from the original hex values?
Now we can see the actual image
Leave_me_alone.pngFor the other two pictures, I tried using exiftool, binwalk, foremost, and strings on Queen’s_Gambit.png but it yielded empty results. I also tried using steghide but it says the image type is not supported.
I tried the same thing on aa.jpg and it all failed except steghide.
The password is actually the revealed on Leave_me_alone.png. The ss.zip contains two files; shado and passwd.txt.
Trying M3tahuman on SSH fails because we still don’t have a user. Let’s see if we can find more info on FTP.
Apparently, we have another user on the system! let’s try that on SSH now.
GOD DAMN IT WORKED.
Just a recap, we still have that Queen’s Gambit image to work with. Let’s explore this connection first.
USER.TXT
You’ll immediately the user.txt once you connected
ROOT.TXT
Going directly to /root is not allowed
Let’s run sudo -l to see what restrictions we have on this user
So we can run /usr/bin/pkexec as root.
I’m nor really familiar about privilege escalation using pkexec so I just searched around google and found this. Basically we need to execute /bin/sh using pkexec to elevate our privilege.
Congrats on completing this room! TIL about pkexec. Google is definitely your friend when it comes to this kind of problems.
