ADVENTURE TIME

### TODO ### https://tryhackme.com/room/adventuretime

Walkthrough for "Adventure Time"

Operating System: Linux

Recon

nmap-auto $TARGET all

PORT    STATE SERVICE  VERSION
21/tcp  open  ftp      vsftpd 3.0.3
|  Logged in as ftp
|      TYPE: ASCII
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.29
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: You found Finn
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
31337/tcp open  Elite ***
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP has anonymous login which could provide some material, and there are two web services as well as a common name. Add that common name to the /etc/hosts file and it's off to enumeration.

Enumeration

[FTP]

There were 6 images in the ftp server when logged in as "anonymous" or "ftp".

exiftool *.jpg | grep "XP Comment" | cut -d: -f2

 01111001 01101111 01110101 00100000
 01110010 01100101 01100001 01101100 01101100 01111001 00100000
 01101100 01101001 01101011 01100101 00100000
 01110100 01101111 00100000
 01110000 01110101 01111010 01111010 01101100 01100101 00100000
 01100100 01101111 01101110 00100111 01110100 00100000 01111001 01100001

This translated to "you really like to puzzle don't ya" when using a binary to ascii converter. Probably just a troll message, still fun to do!

[Web]

Navigating to https://adventure-time.com/ shows a picture of Finn saying "I've lost Jake, can you help me find him." The interesting part about this is that the alt text for the image says "the magic word". Maybe there's a password embedded in the image or somewhere else on the site?

Exploitation