Lian_YU — TryHackMe Write-up

05-10 Archivist
5 min readFeb 17, 2021

A fun CTF on TryHackMe for fans of Arrow!

Reconnaissance

Fire up NMAP and let’s see the open ports on this machine

Port 80 is open and running so let’s look at the webpage first. Looks like the creator of this CTF challenge is a huge Arrow fan!

Checking the page source, there seems to be no hidden comments nor other interesting information that we can use so let’s move to enumeration.

Looks like we have two notable directories; /island and /island/2100.

Let’s see /island first

The message looks incomplete. Maybe we can see the complete text in the page source?

So the hidden word is vigilante. Actually, now knowing that they just used a white font color to hide the text, we can make it appear just by highlighting the page.

Now let’s check /island/2100

As you can see, highlighting didn’t reveal any hidden texts so let’s check the page source again

.ticket huh? Maybe, a file is hidden somewhere in this directory with a .ticket extension.

Going to http://10.10.155.102/island/2100/green_arrow.ticket we’ll see this

RTy8yhBQdscX

I really have no idea what that means. If it’s a substitution cipher, it’s hard to determine the plaintext because of the length. For this one we could use CyberChef to help us out.

!#th3h00d

It turns out that it’s Base58 encoded. So now we have another interesting string !#th3h00d

How did I know that it’s Base58? Trial and error. Is it a massive waste of time? Very much so, yes.

Remember that ports 21 and 22 are open? Maybe vigilante and !#th3h00d are the credentials!

It doesn’t work on SSH but it worked on FTP.

The first image, Leave_me_alone.png looks corrupted

Examining the hex values of the image, we’ll see that it doesn’t follow the typical starting bytes of a png image.

Before we proceed, you should know about magic bytes. Magic bytes essentially refers to “a block of arcane byte values used to designate a file type in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format”.

You can check this and this for additional information.

Going over to Wikipedia, we can see a list of file signature for each file type.

Fire up your preferred hex editor and let’s fix this image

See the difference from the original hex values?

Now we can see the actual image

Leave_me_alone.png

For the other two pictures, I tried using exiftool, binwalk, foremost, and strings on Queen’s_Gambit.png but it yielded empty results. I also tried using steghide but it says the image type is not supported.

I tried the same thing on aa.jpg and it all failed except steghide.

The password is actually the revealed on Leave_me_alone.png. The ss.zip contains two files; shado and passwd.txt.

Trying M3tahuman on SSH fails because we still don’t have a user. Let’s see if we can find more info on FTP.

Apparently, we have another user on the system! let’s try that on SSH now.

GOD DAMN IT WORKED.

Just a recap, we still have that Queen’s Gambit image to work with. Let’s explore this connection first.

USER.TXT

You’ll immediately the user.txt once you connected

ROOT.TXT

Going directly to /root is not allowed

Let’s run sudo -l to see what restrictions we have on this user

So we can run /usr/bin/pkexec as root.

I’m nor really familiar about privilege escalation using pkexec so I just searched around google and found this. Basically we need to execute /bin/sh using pkexec to elevate our privilege.

Congrats on completing this room! TIL about pkexec. Google is definitely your friend when it comes to this kind of problems.

--

--