Lian_Yu- THM {CTF}

Neelesh Patel
3 min readAug 16, 2021

A beginner level security challenge

///confidentials are masked so you also feel the joy of getting the flags ;-)///

Alright, so the reconnaissance gave us the following:-

HTTP is open, redirecting to this, displays the page in a nice manner, side by side with nmap, enumerate the directories as well…

seems like the page says something, now hop to the source code, their’s some code in white, if you’re unable to see then goback to the page you found by gobuster or any another and hit ctrl+a, the code will be highlighted ;-)

Again enumerate the directory, and view the source code, you’ll see like this

Furthur enumeration leads to the another page, which shows some wierd text, which was shockingly encoded in base58.We saw in nmap results about ftp, ssh etc.

After login to ftp session(creds for ftp are base58 and white-coded text), you should see the like this:-

These are images of who????, Let’s practice the Steganography. Fire up your steghide and see whats inside these images.

Looks like Leave_me_alone.png is corrupted, Yes!!!!! you guessed it right maybe magic numbers are messed up, so lets correct it with hexeditor with the codes 89 50 4E 47 0D 0A, and with that you should be able to regenerate the image.Now try this pswd on aa.jpg with steghide, YES!! its a zip file and cat out all the required files. With now both username and password, without wasting time shoot up these creds to ssh!!

look around the file system and you should be able to get the user flag!!!Now hunting for the root flag!!, check the sudo permission and you’ll notice the pkexec can be executed at root.

execute the sudo pkexec /bin/bash and the output should be as below:-

cat out the root flag, and you are now good to go!!!

Thanks for reaching till end, hope you find something useful,

Until Next Time,

Stay Epic!!!!

— — — — — — -



Neelesh Patel

All I need is just my ten fingers and sometimes {coffee}, to talk to computers.