![Lian_Yu: TryHackme Walkthrough 1 tryhackme](https://www.meusec.com/wp-content/uploads/2021/05/lian-1024x332.png)
This post is a walkthrough of an Arrowverse themed beginner CTF box on Tryhackme.
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
Nmap Scan
![Lian_Yu: TryHackme Walkthrough 2 Nmap Scan](https://www.meusec.com/wp-content/uploads/2021/05/nmap.png)
Port 80 is open and running so let’s look at the webpage first. Looks like the creator of this CTF challenge is a huge Arrow fan!
![Lian_Yu: TryHackme Walkthrough 3 arrow](https://www.meusec.com/wp-content/uploads/2021/05/arrow.png)
The First step is to check the page source and robots.txt but no interesting information found there, so let’s move to enumeration.
gobuster dir -u http://10.10.112.241/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
![Lian_Yu: TryHackme Walkthrough 4 gobuster scan](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-3.png)
Looks like we have found a directory /island let’s look at it.
![Lian_Yu: TryHackme Walkthrough 5 /island directory](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-4.png)
The webpage looks like this at first instance but when I saw the source code I realized the the code word is also given in the but is in the white text.
![Lian_Yu: TryHackme Walkthrough 6 the code word reveal](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-5.png)
So here we got our code word vigilante which just appeared by highlighting the page.
I then ran gobuster again with the addition of the new directory I had found:
gobuster dir -u http://10.10.112.241/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
![Lian_Yu: TryHackme Walkthrough 7 gobuster scan](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-6.png)
Now let’s check /island/2100
![Lian_Yu: TryHackme Walkthrough 8 /island directory](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-7.png)
There is nothing relevant on the page here so let’s check the source code maybe we will find something interesting there.
![Lian_Yu: TryHackme Walkthrough 9 source code](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-8.png)
It is telling something about .ticket it might be a hidden directory or a .ticket extension, I then ran gobuster once more, but this time, I ran with an extension:
gobuster dir -u <http://10.10.112.241/island/2100> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
![Lian_Yu: TryHackme Walkthrough 10 gobuster scan](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-9.png)
Going to http://10.10.112.241/island/2100/green_arrow.ticket we’ll see this
![Lian_Yu: TryHackme Walkthrough 11 /green_arrow.ticket](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-10.png)
The text in the picture is a password of some sort, lets use CyberChef to decode it.
After analyzing a bit I got to know it was a base58 cipher.
![Lian_Yu: TryHackme Walkthrough 12 cyberchef](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-11.png)
So now we have another interesting string !#th3h00d.
Remember that ports 21 and 22 are open? Maybe vigilante
and !#th3h00d
are the credentials!
It doesn’t work on SSH but it worked on FTP.
![Lian_Yu: TryHackme Walkthrough 13 FTP loggin](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-12.png)
Here I can see 4 files I need to get: The 2 PNGs, the one JPG, and the last file was the “.other user” file. I downloaded all of them using “mget *”. This should download all the files to your local directory.
![Lian_Yu: TryHackme Walkthrough 14 FTP logged in](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-13.png)
Reading the “.other user”, I came across this:
![Lian_Yu: TryHackme Walkthrough 15 other user command](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-14-1024x676.png)
Here I can see various names, which could be potential usernames and/or passwords. One main name was “Slade” was what stuck out to me.
But then I moved on to analyze the images that I downloaded on my local machine. The first image, Leave_me_alone.png looks corrupted.
![Lian_Yu: TryHackme Walkthrough 16 the jpeg found in ftp](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-15.png)
Examining the hex values of the image, we’ll see that it doesn’t follow the typical starting bytes of a png image.
![Lian_Yu: TryHackme Walkthrough 17 magic bytes](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-16-1024x256.png)
Now we could easily repair this by adding the png magic bytes at the beginning. If you have no idea about what magic bytes are you can check this.
Going over to Wikipedia, we can see a list of file signature for each file type.
Fire up your preferred hex editor and let’s fix this image.
![Lian_Yu: TryHackme Walkthrough 18 changed magic bytes](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-17.png)
Now after saving this image we will open the image.
![Lian_Yu: TryHackme Walkthrough 19 corrected image](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-18.png)
Now we have a password but it does not look like the ssh one as I tried using it there. We have another image named aa.jpg. So we will try to extract information with Steghide with the password mentioned.
steghide --extract -sf a.jpg -p password
![Lian_Yu: TryHackme Walkthrough 20 steghide command](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-19-1024x118.png)
Steghide revealed two files passwd.txt and shado, viewing both the files.
![Lian_Yu: TryHackme Walkthrough 21 small note](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-20.png)
passwd.txt
And shadow.txt contained the word M3tahuman.
I then entered the username, Slade, with password M3tahuman on the ssh and got into the box.
![Lian_Yu: TryHackme Walkthrough 22 got into the box](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-21.png)
Once I got into the box I simply did find command to find the user.txt flag and submitted it on Tryhackme.
![Lian_Yu: TryHackme Walkthrough 23 searching for flags](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-22.png)
I then had to upgrade my privileges to root. To do this I ran “sudo -l”. This command lets you know what commands our user can do as the root user.
![Lian_Yu: TryHackme Walkthrough 24 escalating priveleges](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-23.png)
Here it can be seen that the command I can run as root is “pkexec”. I then went to https://gtfobins.github.io/ in order to find out how I can use this command to get to root.
I found a command on GTFO bins to get me the root.
sudo pkexec/bin/bash
![Lian_Yu: TryHackme Walkthrough 25 GTFO bins](https://www.meusec.com/wp-content/uploads/2021/05/Untitled-24.png)
Reading the root.txt file, I saw the last flag and was able to complete the box!. For more writeups like this you can click here.
Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.
Comments: