Lian_Yu TryHackMe Writeup | By Xploit Ayush
A beginner level security challenge.
This machine has challenges which you will come across and that is Steganography, source code and privilege escalation, for the machine named Lian_Yu in Tryhackme.
Lets start
Deploy the machine and establish connectivity of VPN between your machine and the TryHackMe network, you will get IP.
nmap -sV -sC -A -T4 10.10.182.64
There are four ports open (21, 22, 80 and 111).
We can't get into Ftp because it ask for username and password
what next? lets check what is running on a web server.
Since there is nothing interesting here or in the source code, we try to run gobuster to check directories & Pages.
gobuster dir -u http://10.10.182.64 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
Well, as per the scan result we found /island directory with status: 301.
lets check the /island directory
If you don’t get any clue then dig deeper, view the source code of this webpage
I got some hint (vigilante) which might help me in later on stages. Again I performed directory brute force scan with /island directory to see what’s available.
gobuster dir -u http://10.10.182.64/island -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
as per the scan result we found /2100 directory with status: 301.
Viewing the directory and its source code, I see there is a note:
This suggests to me there is a file with a .ticket extension
gobuster dir -u http://10.10.182.64/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -x ticket
This time the scan result we found /green_arrow directory
Well, this is BASE 58 encoded string. Decode it by searching for an online decoder on Google & you will get the password.
I try and login to FTP with the username Gambit but I am unsuccessful. I try the code word I found earlier and it now prompts for a password, I try the random string but I am denied — maybe it’s encoded.
Using this password, I can now login to FTP:
I will grab all these files:
The above command doesn’t seem to get hidden files so I will manually have to get them:
get .bash_history
get .bash_logout
get .bashrc
get .other_user
get .profile
Firstly I check the .other_user file which leaks a possible username.
I have used steghide tool to extract the details from the image file but, it is password protected.
So to crack the password of the image file, I have used stegcracker tool.
stegcracker aa.jpg /usr/share/wordlists/rockyou.txt
After logging in successfully, I got a .zip file. When you unzip that file just like shown in the below snapshot, you will get two files and they are passwd.txt and shado.
read those two files with command cat <file> one by one.
Finally! the shado file contains a password. I can now try to SSH with the two users and this password:
If you don’t know the username, just remember that we had downloaded few files from ftp server and the username is located in one of those files. By using trial and error method, I just found out that the username was slade in .other_user file.
But, to get the root.txt flag we should get logged in as root user.
To get root flag we need to check what permissions or privileges do we have
This one is a little bit tryckier. First type in the command.
Looks like we can run “pkexec” with root privileges.
we can checkout GitFobins
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
And I have root!!!
Now we have all our Answers let’s submit it and we have successfully completed our CTF !!
Keep Trying, Keep Working :)
Thank you for Reading!!
Happy Hacking GUYS
Author: Xploit Ayush
Tryhackme , ctf , root , nmap , elevation , root.txt , cat.txt , machine , writeup , solution , walkthrough , flag , xploit ayush , Lian_Yu