Lian_Yu

Penetration Testing Methodology

Reconnaissance

nmap

Enumeration

Directory enumeration using gobuster and dirbuster

Exploitation

steghide

Privilege Escalation

pkexec

Capturing the flag

user.txt
root.txt

Walkthrough

nmap -A 10.10.24.60

From the nmap scanning. I found that 4 port open. Which is

21 (ftp)
22 (ssh)
80 (http)
111 (rpc)

I browse the given IP address.

But, there is nothing interesting. So, I decide to enumerate the directory. By using dirbuster. (Dirbuster: http://10.10.24.60/)

I get new directory. (http://10.10.24.60/island/)

There is code word: vigilante (not sure for what. So I gonna save it for now.)

I run dirbuster again. (Dirbuster: http://10.10.24.60/island/) because I still dont have any other clue.

New directory was found. (http://10.10.24.60/island/2100/). There is hint (.ticket). This hint for us to do another dir enumeration for extension .ticket. This time i gonna use gobuster. Gobuster make it easy for me to specify the extension that i need.

gobuster dir -u 10.10.24.60/island/2100 -w /root/List/directory-list-2.3-medium.txt -x .ticket

Okay, we got successfully got another one. (http://10.10.24.60/island/2100/green_arrow.ticket)

We are given a token RTy8yhBQdscX. Seems like this token was encrypt by something. Fire up CyberChef to decrypt our token. After trying, I found that, it was encrypt by Base58.

Output: !#th3h00d

So, I think we have got username and password. Maybe for ftp?

ftp 10.10.24.60

Username: vigilante Password: !#th3h00d

Ok, we are in. So, lets dive in. What can we get in here?..

ls -al

list all directory or file

get file

download file into our system

So, after ls -al. we can see that, there is 3 image. (Leave_me_alone.png, Queen's Gambit.png and aa.jpg). After download all the file, I try to check each one of it. I have a problem to open Leave_me_alone.png. So, I decide to check the hex using HxD

I search the header for PNG. To compare with our picture.

Seems like we have a wrong header. Repair and save. TA_DAA!!

He, gave us "password". Is it a password for something? Like ssh.... or.. need to be used for other image? Like steghide??? So, I try steghide for both Queen's Gambit.png and aa.jpg. Success for aa.jpg.

steghide extract -sf aa.jpg

unzip ss.zip

Unzip the file, give us passwd and shado file.

cat file

We get like a password for shado. And "message" from passwd.txt. I felt im on the dead route. If M3tahuman is really a password. But, where can we get the username??

So, I decide to open ftp again using gftp. I get that there is another user other than vigilante. (/home/vigilante to /home discovered that there is 2 user). Which is slade and vigilante.