This post is a walkthrough of an Arrowverse themed beginner CTF box on Tryhackme.
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
Port 80 is open and running so let’s look at the webpage first. Looks like the creator of this CTF challenge is a huge Arrow fan!
The First step is to check the page source and robots.txt but no interesting information found there, so let’s move to enumeration.
gobuster dir -u http://10.10.112.241/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Looks like we have found a directory /island let’s look at it.
The webpage looks like this at first instance but when I saw the source code I realized the the code word is also given in the but is in the white text.
So here we got our code word vigilante which just appeared by highlighting the page.
I then ran gobuster again with the addition of the new directory I had found:
gobuster dir -u http://10.10.112.241/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Now let’s check /island/2100
There is nothing relevant on the page here so let’s check the source code maybe we will find something interesting there.
It is telling something about .ticket it might be a hidden directory or a .ticket extension, I then ran gobuster once more, but this time, I ran with an extension:
gobuster dir -u <http://10.10.112.241/island/2100> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
Going to http://10.10.112.241/island/2100/green_arrow.ticket we’ll see this
The text in the picture is a password of some sort, lets use CyberChef to decode it.
After analyzing a bit I got to know it was a base58 cipher.
So now we have another interesting string !#th3h00d.
Remember that ports 21 and 22 are open? Maybe
!#th3h00d are the credentials!
It doesn’t work on SSH but it worked on FTP.
Here I can see 4 files I need to get: The 2 PNGs, the one JPG, and the last file was the “.other user” file. I downloaded all of them using “mget *”. This should download all the files to your local directory.
Reading the “.other user”, I came across this:
Here I can see various names, which could be potential usernames and/or passwords. One main name was “Slade” was what stuck out to me.
But then I moved on to analyze the images that I downloaded on my local machine. The first image, Leave_me_alone.png looks corrupted.
Examining the hex values of the image, we’ll see that it doesn’t follow the typical starting bytes of a png image.
Now we could easily repair this by adding the png magic bytes at the beginning. If you have no idea about what magic bytes are you can check this.
Going over to Wikipedia, we can see a list of file signature for each file type.
Fire up your preferred hex editor and let’s fix this image.
Now after saving this image we will open the image.
Now we have a password but it does not look like the ssh one as I tried using it there. We have another image named aa.jpg. So we will try to extract information with Steghide with the password mentioned.
steghide --extract -sf a.jpg -p password
Steghide revealed two files passwd.txt and shado, viewing both the files.
And shadow.txt contained the word M3tahuman.
I then entered the username, Slade, with password M3tahuman on the ssh and got into the box.
Once I got into the box I simply did find command to find the user.txt flag and submitted it on Tryhackme.
I then had to upgrade my privileges to root. To do this I ran “sudo -l”. This command lets you know what commands our user can do as the root user.
Here it can be seen that the command I can run as root is “pkexec”. I then went to https://gtfobins.github.io/ in order to find out how I can use this command to get to root.
I found a command on GTFO bins to get me the root.
Reading the root.txt file, I saw the last flag and was able to complete the box!. For more writeups like this you can click here.