Lian_Yu (Tryhackme) Room Writeup By Jonty Bhardwaj

5 min readJun 9, 2021

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Lian_Yu.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/lianyu

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -t4 10.10.83.248

Now we can see that 4 ports are open and the most promising port we can gather info looks to be port 80.

We go to the main website and found no info of use . So we have to use dirbuster to see additional hidden directories and see if we can gather some info from.

From above dirbuster search we found 2 interesting folders

/island

/island/2100/

Lets navigate to both and see what information we can gather . First we will go to /island

From the island webpage we found a Code Word : vigilante and we don't know what this is for.

Now we will see what is in /island/2100/ webpage .

Here we just have a cryptic message saying we can avail “.ticket” here. And here ticket looks like some sort of extension .

So what we can do is run a dirbuster scan on this particular URL and search for a particular extension .ticket .

As we can see form above we have found our webpage which is at location /island/2100/green_arrow.ticket .

Now we will got to this webpage see what info is there

We found some sort of Encrypted Token . Lets use google to find what the encryption is on the Code. After searching we found it to be Base58. Now lets decode it found out the information.

Here we have found our first flag which we will paste in the first question of Tryhackme box.

Now we have both Username and Password for ftp login.

Username : vigilante

Password : !#th3h00d

With these credentials we will login into FTP and find some interesting information about users and some files which we can download .

As we can see found 2 users vigilante and slade and 3 image files . We downloaded the files into our machine and searched them for info. We didn’t gather any info from these images which led us to believe that some of these images might have files hidden in them.

Due to this we use Steghide to try and extract any information we can get.

steghide extract -sf aa.jpg

We left the password field empty when extracting the info and we got a zip file. We the extracted this zip file which gave us 2 more files.

unzip ss.zip

Lets see what information is inside the files.

As we see here in the first file we didn’t find much but in second file we found a text which appear to be some sort of password , most probably of user slade.

Lets try this password with user slade in ssh and find out if it works.

ssh slade@10.10.83.248

Voila we have successfully logged into user slade. Now in the home directory itself of user slade we found our second flag named user.txt.

Noe lets find more info to escalate our privilege to user root and get our final objective. After searching around we found some hidden files in home directory.

ls -la