Lian_YU — TryHackMe Write-up
A fun CTF on TryHackMe for fans of Arrow!
Fire up NMAP and let’s see the open ports on this machine
Port 80 is open and running so let’s look at the webpage first. Looks like the creator of this CTF challenge is a huge Arrow fan!
Checking the page source, there seems to be no hidden comments nor other interesting information that we can use so let’s move to enumeration.
Looks like we have two notable directories;
The message looks incomplete. Maybe we can see the complete text in the page source?
So the hidden word is
vigilante. Actually, now knowing that they just used a white font color to hide the text, we can make it appear just by highlighting the page.
Now let’s check
As you can see, highlighting didn’t reveal any hidden texts so let’s check the page source again
.ticket huh? Maybe, a file is hidden somewhere in this directory with a
http://10.10.155.102/island/2100/green_arrow.ticket we’ll see this
I really have no idea what that means. If it’s a substitution cipher, it’s hard to determine the plaintext because of the length. For this one we could use CyberChef to help us out.
It turns out that it’s Base58 encoded. So now we have another interesting string
How did I know that it’s Base58? Trial and error. Is it a massive waste of time? Very much so, yes.
Remember that ports 21 and 22 are open? Maybe
!#th3h00d are the credentials!
It doesn’t work on SSH but it worked on FTP.
The first image,
Leave_me_alone.png looks corrupted
Examining the hex values of the image, we’ll see that it doesn’t follow the typical starting bytes of a png image.
Before we proceed, you should know about magic bytes. Magic bytes essentially refers to “a block of arcane byte values used to designate a file type in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format”.
You can check this and this for additional information.
Going over to Wikipedia, we can see a list of file signature for each file type.
Fire up your preferred hex editor and let’s fix this image
See the difference from the original hex values?
Now we can see the actual image
For the other two pictures, I tried using exiftool, binwalk, foremost, and strings on
Queen’s_Gambit.png but it yielded empty results. I also tried using steghide but it says the image type is not supported.
I tried the same thing on
aa.jpg and it all failed except steghide.
The password is actually the revealed on
Leave_me_alone.png. The ss.zip contains two files;
M3tahuman on SSH fails because we still don’t have a user. Let’s see if we can find more info on FTP.
Apparently, we have another user on the system! let’s try that on SSH now.
GOD DAMN IT WORKED.
Just a recap, we still have that Queen’s Gambit image to work with. Let’s explore this connection first.
You’ll immediately the user.txt once you connected
Going directly to
/root is not allowed
sudo -l to see what restrictions we have on this user
So we can run /usr/bin/pkexec as root.
I’m nor really familiar about privilege escalation using pkexec so I just searched around google and found this. Basically we need to execute /bin/sh using pkexec to elevate our privilege.
Congrats on completing this room! TIL about pkexec. Google is definitely your friend when it comes to this kind of problems.