TryHackMe Walkthrough : Lian_Yu

Introduction

Lets Get Started!

First and foremost thing to do is to Deploy the machine and establish connectivity of VPN between your machine and the TryHackMe network. After deploying the machine you will receive an IP address and you have to ping it and make sure the remote host is up and working.

Recon

nmap -sS -sV -sC -p- -Pn — min-rate=10000 -oN nmap <IP>

As you can see from the above screenshot, there are four ports open (21, 22, 80 and 111). Now that we know the target is running a web server we should do a directory brute force scan to see what’s available.

You can use dirbuster or dirb but I like to use gobuster. I used this following command:

gobuster dir –u http://<machine IP>/ –w /usr/share/wordlists/dirb/big.txt

Well, as per the scan result we found /island directory with status: 301.

Now, let’s check the /island directory.

If you don’t get any clue view the source code of this webpage.

Found some hint (vigilante) which might help me in later on stages. Again I performed directory brute force scan with /island directory to see what’s available. I used this following command:

gobuster dir –u http://machine IP/island –w /usr/share/wordlists/dirb/seclists/Fuzzing/4-digits-000–9999.txt

As per the scan result we found /2100 directory with status: 301.

Let’s try to view the source code of the above webpage.

This suggests to me there is a file with a .ticket extension, so I ran FFUF to identify this hidden file. FFUF is a fast web fuzzer written in Go language. Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values. The command I used is :

ffuf -u http://<machine IP>/island/2100/FUZZ.ticket -w /usr/share/dirbuster/wordlists/directorylist-2.3-medium.txt

This time the scan result we found /green_arrow directory with status: 200 We will try with extension /green_arrow.ticket and see if we get something.

We got a BASE 58 encoded string. Decode it by searching for an online decoder on Google & you will get the password.

As we saw in our nmap scan that we had PORT 21 open. So let’s try logging in FTP using this password.

Enter the following command to connect to FTP:
ftp <machine IP>
Enter the Username (The “vigilante” we found in source code) & Password(which we decoded from Base58) to login.

By typing ls -la you can see the list of file in ftp server. We can download those file to our machine by type this command:

get <file name>

Steganography

I have used steghide tool to extract the details from the image.

steghide extract -sf <image file>

It is password protected. So to crack the password of the image file, I have used stegcracker tool.

stegcracker <image file> /usr/share/wordlists/rockyou.txt

Now we will use this password for extracting from steghide command.

After logging in successfully, I got a .zip file. When you unzip that file just like shown in the above snapshot, you will get two files and they are passwd.txt and shado.

Read those two files with command.

cat <file name>

The shado file contains a password. I can now try to SSH with the two users and this password:

If you don’t know the username, just remember that we had downloaded .other_users from ftp server and the username is located there.

Username : Slade

I can now try to SSH with the users Slade and this password from shado file.

After successfully logged in, we can easily get the user.txt flag.

But, to get the root.txt flag we should get logged in as root user.

Privilege Escalation

Looks like we can run pkexec with root privileges. Therefore, we are going to run /bin/sh program as root & get the root access. I Got this working command from GTFOBINS we will use that.

sudo pkexec /bin/sh

We have successfully completed the room. This was a fun machine for beginners. Thank you for reading and if there is anything need to be added or suggested please reach out or comment.

B.Sc IT Graduate with C.E.H certification currently pursuing Offensive Security (Red Team). Passion for MMA and Kick-boxing & Automobile Enthusiast.