ADVENTURE TIME
### TODO ### https://tryhackme.com/room/adventuretime
Walkthrough for "Adventure Time"
Operating System: Linux
Recon
nmap-auto $TARGET all
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| Logged in as ftp
| TYPE: ASCII
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: You found Finn
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
31337/tcp open Elite ***
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelFTP has anonymous login which could provide some material, and there are two web services as well as a common name. Add that common name to the /etc/hosts file and it's off to enumeration.
Enumeration
[FTP]
There were 6 images in the ftp server when logged in as "anonymous" or "ftp".
exiftool *.jpg | grep "XP Comment" | cut -d: -f2
01111001 01101111 01110101 00100000
01110010 01100101 01100001 01101100 01101100 01111001 00100000
01101100 01101001 01101011 01100101 00100000
01110100 01101111 00100000
01110000 01110101 01111010 01111010 01101100 01100101 00100000
01100100 01101111 01101110 00100111 01110100 00100000 01111001 01100001This translated to "you really like to puzzle don't ya" when using a binary to ascii converter. Probably just a troll message, still fun to do!
[Web]
Navigating to https://adventure-time.com/ shows a picture of Finn saying "I've lost Jake, can you help me find him." The interesting part about this is that the alt text for the image says "the magic word". Maybe there's a password embedded in the image or somewhere else on the site?
Exploitation
Last updated