Lian_Yu

Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.


First thing we are going to do here is launch our VM and attackbox to get this lab rolling

It would like us to locate a web directory. So going to run gobuster against the IP and see what we can find

We locate a directory called /island.

It states there is a codeword but its not showing. Highlighting over, it appears to just be in white font

Codeword: Vigilante

Running gobuster again against /island we find a directory called /2100

From here we get a youtube video that no longer appears to be valid. Crap

Checking into the source, we see this comment. SO I believe we are looking for a .ticket

From here I ran gobuster again and added -x .ticket to the end of it and boom! /green_arrow.ticket

RTy8yhBQdscX

Checking into some walk throughs, It appears this is base58 encoded

Using Cyberchef it comes out to

!#th3h00d

I got so excited about running gobuster that I forgot to enumerate with Nmap. So lets go!

We have alot of fun stuff here.

going to attempt to access ftp first anonymously

Did not work.

Using username Vigilante and password !#th3h00d we were able to access!

with LS we get 3 files

File itself appears corrupted. Using tool hexedit (Sudo apt install hexedit) and the info below, I was able to correct the header and fix the image

Byte 1 should be [0x89]: 89
Byte 2,3 and 4 should be [0x50 0x4E 0x47]: 504E47
Byte 5 and 6 should be [0x0D 0x0A]: 0D0A
Byte 7 should be [0x1A]: 1A
Byte 8 Should be [0x0A]: 0A

Opening the file gives us the password password

Using Steghide we are able to extract an ss.zip file out of the aa.jpg image

the ss.zip file gives us the following information

Using this to SSH into Slade’s account

Next step is to get root access for the flag

From here it looks like /usr/bin/pkexec is open

heading over to GTFO bins we locate this comand