Question #2 What is the Web Directory you found?
I started off with an nmap scan:
First I’ll head over to the webpage to check it out:
I do find it suspicious that “arrow” is in bold text.
I don’t really know anything about Arrowverse, but apparently it’s a whole thing based on DC Comics. I recognize the Flash and Supergirl here, but that’s about it.
I guess that’s Arrow in the mask looking kinda like Robin Hood.
Alright, I’m going to get gobuster started:
A lot of times I’ll do a couple different wordlists to compare them.
That “island” directory looks interesting. Shall we?
Hmm. So just select all and the code word pops up. It was in white text. Classic.
This could possibly be a username or maybe a password.
So /island isn’t the directory we are looking for since the hint says we need numbers.
I used a 4 digit number wordlist on the main web address and pulled up nothing. Then I used it on the /island directory and found this:
Question #3 What is the file name you found?
If you inspect the source, you see this:
Interesting how it says .ticket, like a file extension. Back to gobuster:
If you search by extension you will find the answer to Question #3.
Question #4 What is the FTP Password?
I’m assuming this is it.
The hint does mention something about “Base”, so it probably needs to be decoded.
Base58 seems to bring up a good candidate:
Question #5 What is the file name with SSH password?
We have an FTP password, so “vigilante” must be the username. Let’s head over:
From here we can explore around to find that file we need.
There are some hidden files here, so I am just going to grab them all:
There is a way to grab all the files at once, but that doesn’t seem to work on the hidden files, which is why I did them one by one.
Before we grab the .png files, I did learn something new today while researching FTP servers.
In some cases, if you just grab image files normally they will be transferred in ASCII, meaning that you won’t be able to view them. However, if you switch the FTP mode to binary you will be able to see them.
Apparently, most FTP clients support auto detection and do that automatically (including this one), but in the case that you run into one that doesn’t, now you will know what the problem is.
Check on your machine to make sure they were transferred over:
Here is “Queen’s_Gambit”.
And “aa.jpg” (it’s a huge picture).
You’ll notice that you can’t display “Leave_me_alone.png” because it has an improper image header:
If you check out what type of file it is, it is being identified as “data”. So from here we can check out the hexdump to get the “magic bytes”. These are hex numbers that will appear at the start of a file that you can use to see what type of file it is. HERE is a list you can use to identify them.
xxd Leave_me_alone.png | head
If you look at the hexdump and compare it to that resource I linked, you can see that it definitely does not match a .png file:
HERE is a good article I found which explains the whole process, but basically what has happened is that the file was corrupted on purpose so we could not read it. We just need to change it back.
hexeditor Leave_me_alone.png
Just put your cursor over the characters you want to change and type to change them. After you do that, you will see that it now says “.PNG” over in the ASCII area to the right. Before, it just said some random letters, “XEo”.
Press CTRL+X to save. It will now be a proper .png file that you can open:
It seems like we now have a password of “password”. Very creative.
Also, sorry that all my images have a purple tint to them, ImageMagick is bringing them all up semi-transparent, and that’s the purple Ubuntu background from the THM Attack Box showing through.
The question says the SSH password is in a file, and the name of this .png file is way too long to fit. So, what do I do with this password?
Eventually I figured out that it was actually a password to use with steghide. Steghide does not work on .png files, but it did work on “aa.jpg”
Unzip it:
Question #6 user.txt
I tried the new password with a couple usernames like “Arrow” and “Vigilante”, to see if I could get into the SSH server, but hit a dead end.
At this point I remembered the other files I got off the FTP server. The only one that had anything of interest was the .other_user one:
This is giving us a lot of potential usernames to go along with the password.
I tried Slade first, and it worked:
The user.txt file was easy to find from here:
Question #7 root.txt
I noticed the .Important file earlier. Let’s see what it says:
You can use the find command to see where that file is:
“Super powers do you need, just go find it.”
Let’s see exactly what powers Slade has here:
pkexec basically lets a user execute commands as another user. In order to use this to our advantage and spawn a root shell, type the following:
sudo -u root /usr/bin/pkexec /bin/bash
This box was really fun! I love the ones that have a story/theme that goes along with them.
Happy Hacking! ❤
