TryHackMe: Lian_Yu Walkthrough

Posted byMANJUNATH NAYAKAPosted inUncategorized

Introduction

Hello everyone. I’m back with another writeup for the machine named Lian_Yu from the TryHackMe. This machine has challenges which you will come across and that is Steganography, source code and privilege escalation. Well I liked and had lot of fun cracking it. You can access this machine directly from this url: https://tryhackme.com/room/lianyu. One more thing that you need to know is, this machine is based on TV series called Arrow.

Hurry Up Waiting GIF by Andrew and Pete
What we waiting for??????

Let’s get started folks……

First and foremost thing to do is to Deploy the machine and establish connectivity of VPN between your machine and the TryHackMe network. After deploying the machine you will receive an IP address and you have to ping it and make sure the remote host is up and live.

Recon

The next step is to find some information about the remote machine as the services, versions. To do that, I used this following command:

nmap <IP>

As you can see from the above screenshot, there are four ports open (21, 22, 80 and 111). Now that we know the target is running a web server we should do a directory brute force scan to see what’s available.

You can use dirbuster or dirb but I like to use gobuster. I used this following command:

gobuster dir –url http://machine IP/ –wordlist /usr/share/wordlists/dirb/big.txt

Similar in concept to password brute forcing we are taking a list of words contained in a file and using them as search queries against the web server. If it returns a 20x or 30x status code then we know something is there. Well, as per the scan result we found /island directory with status: 301.

Now, let’s check the /island directory.

If you don’t get any clue then dig deeper, view the source code of this webpage….

Wait A Minute GIFs | Tenor

Now, wait a minute!! I thought we could get some code or clue for next step but instead I got some hint (vigilante) which might help me in later on stages. Again I performed directory brute force scan with /island directory to see what’s available. I used this following command:

gobuster dir –url http://machine IP/island –wordlist /usr/share/wordlists/dirb/seclists/Fuzzing/4-digits-000-9999.txt

as per the scan result we found /2100 directory with status: 301.

Well that’s strange and enigmatic!! Just a video and nothing else as a clue. Let’s try harder guys, view the source code of the above webpage.

This suggests to me there is a file with a .ticket extension, so I ran FFUF this time to identify this hidden file. FFUF is a fast web fuzzer written in Go language. Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values. The command I used is, ffuf -u http://<machine IP>/island/2100/FUZZ.ticket -w /usr/share/dirbuster/wordlists/directorylist-2.3-medium.txt

This time the scan result we found /green_arrow directory with status: 200 which is a good sign and we are right back on track.

Well, this is BASE 58 encoded string. Decode it by searching for an online decoder on Google & you will get the password. As we saw earlier in our nmap scan that we had PORT 21 open. So let’s try logging in FTP using this password.

Enter the following command to connect to FTP:
ftp <machine IP>
Enter the Username (The secret code you found earlier) & Password to login.

By typing ls -la you can see the list of file in ftp server. We can download those file to our machine by type this command:

get <file name> (get all files to your local machine).

Steganography

Now before continuing, I must tell you that Steganography is a very broad topic & has a lot of tools & every tool has it’s own different, specific use. We need to do trial & error method to find hidden content. You can do Steganography rooms on TryHackMe to learn about this.

I have used steghide tool to extract the details from the image file but, it is password protected.

steghide extract -sf <image file>

So to crack the password of the image file, I have used stegcracker tool.

stegcracker <image file> /usr/share/wordlists/rockyou.txt

After logging in successfully, I got a .zip file. When you unzip that file just like shown in the below snapshot, you will get two files and they are passwd.txt and shado.

read those two files with command cat <file> one by one.

frustrated jim carrey GIF

This machine will literally tests your patience. Again no clue but let’s check another file shado.

Finally! the shado file contains a password. I can now try to SSH with the two users and this password:

ssh <username>@machine IP

If you don’t know the username, just remember that we had downloaded few files from ftp server and the username is located in one of those files. By using trial and error method, I just found out that the username was slade in .other_user file.

After successfully logged in, we can easily get the user.txt flag.

But, to get the root.txt flag we should get logged in as root user.

Privilege Escalation

Now it’s time for Privilege Escalation. Type “sudo -l” to see if we can run any command with root privileges.

Looks like we can run pkexec with root privileges. Therefore, we are going to run /bin/sh program as root & get the root access. Enter the following command:

sudo pkexec /bin/sh

We have successfully completed the room!! well this was a fun to root machine and good for beginners. Thank you for reading and if there is anything need to be added or suggestions, please don’t hesitate to comment or reach out.

origins hacking GIF

Happy hacking!!!

Published by MANJUNATH NAYAKA

A Cyber Security Enthusiast who is passionate and fond of learning new stuffs in Cyber Security World. I was working as Network and Security operations Engineer but then I found my passion towards Cyber security. I'm a newbie in blogging as well ;)

Leave a comment

Design a site like this with WordPress.com
Get started