Post

Lian Yu

Lian Yu

🔍 First, I ran an nmap scan: Pasted image 20260608213723.png 💡 We found a web directory, but the room prompt states it needs to be a number. I let the scan run, and if it didn’t find anything, I planned to use a numeric list: Pasted image 20260608213742.png This is the root page: Pasted image 20260608213808.png

Pasted image 20260608213938.png And you can see there is something: Since the initial scan missed the number, I ran directory discovery again using ffuf: Pasted image 20260608214215.png I found it: Pasted image 20260608214321.png 🕵️ It gave us a comment mentioning the .ticket extension. I searched for it under the discovered URL:

Pasted image 20260608215526.png And if we go to that page: Pasted image 20260608215632.png It returned an encoded token. The hint recommended using CyberChef. It looked like base encoding, so after testing a bit, I decoded it: Pasted image 20260608220116.png Pasted image 20260608220543.png I used the username I found earlier (which was hidden in white text): Then I downloaded the files: Pasted image 20260608220815.png I tried some hidden file paths randomly because the filenames didn’t match. I downloaded all files to see if they would be useful: Pasted image 20260608221103.png Let’s see if this helps: Pasted image 20260608221234.png In the images directory, Leave_me_alone.png is interesting because it cannot be viewed directly: Pasted image 20260608222026.png 💻 I opened it in a hex editor. This is supposed to be a PNG image, which means it should have the standard PNG headers like IHDR and IDAT: For more information, see: info Pasted image 20260608222153.png These are the default headers of a PNG file: Pasted image 20260608223529.png So, I edited the first 6 bytes: Pasted image 20260608223559.png Now we can view the image and find the password: Pasted image 20260608223623.png ⚡ Next, we need to extract files from the JPEG images using steghide: Pasted image 20260608223958.png Extracting the data with the password, we find a zip archive: Pasted image 20260608224308.png I extracted the zip file:

It seems we have more work to do: Pasted image 20260608224752.png 📌 Once we have the password, we can log in via SSH. Initially, I didn’t know the username, but recalling the .otheruser file from the FTP server, I made a simple wordlist and brute-forced the SSH service using those usernames:

1
2
3
4
5
6
7
8
9
10
11
12
13
slade
slade_wilson
adeline
adeline_kane
wintergreen
joseph
joseph_wilson
jackal
deathstroke
major_wilson
lieutenant_colonel
lt_colonel
captain_kane
1
hydra -L user.txt -p "pass you found" 10.49.160.92 ssh -t 4

Pasted image 20260608225704.png And I found it: Pasted image 20260608225747.png user.txt Pasted image 20260608225835.png I checked the sudo privileges of our user: Pasted image 20260608225933.png We can easily escalate to root: Pasted image 20260608230051.png

1
sudo pkexec /bin/sh

Pasted image 20260608230136.png And retrieved the root flag! Pasted image 20260608230206.png

This post is licensed under CC BY 4.0 by the author.