Nmap results:
# Nmap 7.92 scan initiated Tue Oct 25 20:12:56 2022 as: nmap -p 1-1024 -oA nmap_basic 10.10.38.140
Nmap scan report for 10.10.38.140
Host is up (0.12s latency).
Not shown: 1020 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
# Nmap done at Tue Oct 25 20:12:59 2022 -- 1 IP address (1 host up) scanned in 2.40 seconds
As you can see http is listening on port 80. So lets try to perform a directory scan using dirbuster:
http://10.10.38.140/
http://10.10.38.140/server-status
http://10.10.38.140/island => http://10.10.38.140/island/
http://10.10.38.140/island => http://10.10.38.140/island/2100/
Looking at http://10.10.38.140/island/, we can there is an html “h2” tag with white color.
Hmm, /island/2100/ seems interesting as well. Visiting the page source we see a comment recommending “.ticket”
So lets try to use gobuster -x option to scan for files using .ticket extension.
bash$ gobuster dir -u http://thm.ip/island/2100/ -x .ticket -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
/green_arrow.ticket
Would you look at that, “/green_arrow.ticket” file were found. Lets see what it contains.
This is just a token to get into Queen's Gambit(Ship)
RTy8yhBQdscX
Looks like an encoded value. We can decode it using base58 using cyberchef.
Using the username we found above on the html “h2” tag and above base58 decoded value, we can authenticate to FTP Server.
FTP Server contains the above listed image files and since .jpg is a supported stegcracker file type, we see if there is anything hidden on the image.
bash$ stegcracker aa.jpg
The output is written to aa.jpg.out, and running file against the file, says it is a zip file. We can unzip using the unzip tool as below:
bash$ unzip aaa.jpg.out
Archive: aaa.jpg.out
inflating: passwd.txt
inflating: shado
Note: Leave_me_alone.png file is missing the magic bytes, if you want you can fix that too. But it is not needed for this box.
Other than, there are other hidden files in the FTP server not listed above, one is .other_user which contains:
Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he had been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training
First thing we see, is a person by the name of Slade Wilson, so we try to authenticate to SSH using it as the username and the password we found in shado file.
Aha, would you look at that, we got user.
Running “sudo -l” tell us that we can run pkexec as sudo. With pkexec we can run /bin/sh as root.
GG.