Target the server with an nmap scan to reveal running services. Notice that ftp, ssh, and httpd are all running on standard ports. Start by viewing the web server with a browser.
Ohhh Noo, Don’t Talk……………
I wasn’t Expecting You at this Moment. I will meet you there
You should find a way to Lian_Yu as we are planed. The Code Word is:
Start by running gobuster or an equivalent software or script using the “directory-list-2-3.medium.txt” word list or equivalent list. Notice that we have discovered a sub-directory called “island”.
If we run another gobuster scan from the /island/ path, we will reveal another sub-directory, “2100”.
Viewing the page source for this file reveals an HTML comment referencing a file extension named “.ticket”.
Next running gobuster from the /island/2100/ path reveals a file ticket file we have been looking for (“xxx.ticket”).
Download the “xxx.ticket” file and view its contents.
Take the token found in the xxx.ticket and use base58 to decode it.
Once you have the decoded result from the xxx.ticket, use its contents to log onto the ftp server using the username collected earlier, “vigilante”.
After reviewing the file list and hidden directories we see that there is an “aa.jpg” file. Knowing that steghide can be used to attach data to a jpg file (steganography), we will GET that file.
Lets use “stegseek” which boasts to be the fastest steghide password cracker (rockyou.txt in 2 seconds).
sudo apt install ./stegseek_0.6-1.deb
Notice that the extraction has finished and that an output file named ss.zip has been extracted. Unzip the .out output file and review the contents.
Check the FTP server again for another username.
Using the password discovered in the file “shado” which was extracted with stegseek you will login to ssh as the user “slade”.
You will find the user.txt FLAG after login.
A review of slade’s sudo permissions (sudo -l) reveals that this user can execute pkexec as the root user.
pkexec allows an authorized user to execute PROGRAM as another user. If PROGRAM is not specified, the default shell will be run. If username is not specified, then the program will be executed as the administrative super user, root.
Once you have a root shell, find the FLAG under the root user directory.
Latest posts by Jesse Shelley (see all)