Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.
Looks like this one is kina a connect the dots room so let's start with an nmap and go from there.
The first question is for a web directory found so this really sounds like a job for gobuster. Gobuster found a folder called island but it's not the answer we're looking for. For our notes though, we'll copy down that there's a code word called vigilante
OK, let's try dirb and see what it shows up - same. So let's see if anonymous FTP works - nope! I totally forgot to dig into the sub folder... so once I DID then I found the folder for the question.
What is the Web Directory you found? 2100
If we look at the source code of this page, we see something about "ticket" and we need a file name so let's gobuster AGAIN but this time filter for file names called "ticket"
What is the file name you found? green_arrow.ticket
The hint for the next question says to use cyberchef and that it's some sort of base. I honestly just went through all the bases until I picked From Base58 and got the answer.
what is the FTP Password? !#th3h00d
Okay so, thank fully we found that "vigilante" hidden text earlier - that's the username for the FTP account we need to get into!
I'm gonna grab some files here. All the images plus there's the hidden .bash_history file that never hurts to dig into. Let's run binwalk on the images to see if there's anything hidden. Leave_me_alone.png is the only weird one that doesn't have a description. I knew this was a steganography thing but I was having a hard time getting started. I won't lie I had to peek at a writeup to remind myself about magic numbers.
Checking out the header of this file, we see it's not setup to be a PNG file at all.
We're going to need to change these to the appropriate "magic numbers" found here: https://en.wikipedia.org/wiki/List_of_file_signatures to do this I used this GeeksForGeeks website: https://www.geeksforgeeks.org/working-with-magic-numbers-in-linux/ which walked me through using hexedit to make the changes. What a great and easy to use app!
We now have the "password"... the very very secure (?) password.
Looking around the ftp site we see another user folder there in the home directory: slade - let's try and login as slade... nope. Neither FTP or SSH works. There has to be more to this 'cause even the current question of what file has the SSH password is a really short name.
Let's go back to our B99 (Brooklyn Nine Nine - THM (aldern00b.com)) work and look at how we uncovered some other steganography. Playing around with some of the files we found a zip file in aa.jpg using steghide
unzipping and reading:
checking out the last file, looks like a password
What is the file name with the SSH password? shado
We made it to Lian_Yu!
The user flag was right there: THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}
now we just need to elevate and get root. Looks like slade has sudo access to pkexec
Usinng gtfobins we were able to take advantage of this and get the root flag.
The root flag is THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}