Lian_Yu (Tryhackme) Room Writeup By Jonty Bhardwaj

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Lian_Yu.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/lianyu

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -t4 10.10.83.248

Now we can see that 4 ports are open and the most promising port we can gather info looks to be port 80.

We go to the main website and found no info of use . So we have to use dirbuster to see additional hidden directories and see if we can gather some info from.

From above dirbuster search we found 2 interesting folders

/island

/island/2100/

Lets navigate to both and see what information we can gather . First we will go to /island

From the island webpage we found a Code Word : vigilante and we don't know what this is for.

Now we will see what is in /island/2100/ webpage .

Here we just have a cryptic message saying we can avail “.ticket” here. And here ticket looks like some sort of extension .

So what we can do is run a dirbuster scan on this particular URL and search for a particular extension .ticket .

As we can see form above we have found our webpage which is at location /island/2100/green_arrow.ticket .

Now we will got to this webpage see what info is there

We found some sort of Encrypted Token . Lets use google to find what the encryption is on the Code. After searching we found it to be Base58. Now lets decode it found out the information.

Here we have found our first flag which we will paste in the first question of Tryhackme box.

Now we have both Username and Password for ftp login.

Username : vigilante

Password : !#th3h00d

With these credentials we will login into FTP and find some interesting information about users and some files which we can download .

As we can see found 2 users vigilante and slade and 3 image files . We downloaded the files into our machine and searched them for info. We didn’t gather any info from these images which led us to believe that some of these images might have files hidden in them.

Due to this we use Steghide to try and extract any information we can get.

steghide extract -sf aa.jpg

We left the password field empty when extracting the info and we got a zip file. We the extracted this zip file which gave us 2 more files.

unzip ss.zip

Lets see what information is inside the files.

As we see here in the first file we didn’t find much but in second file we found a text which appear to be some sort of password , most probably of user slade.

Lets try this password with user slade in ssh and find out if it works.

ssh slade@10.10.83.248

Voila we have successfully logged into user slade. Now in the home directory itself of user slade we found our second flag named user.txt.

Noe lets find more info to escalate our privilege to user root and get our final objective. After searching around we found some hidden files in home directory.

ls -la

It says to find something named Secret_Mission.

locate Secret_Mission

We found the secret mission file but it was nothing of much importance.

Lets see what sudo permission the user got which we can utilize.

sudo -l

Here we found what we were searching for , a program named pkexec with sudo privilege through which we can escalate our privilege to root.

Lets search GTFO bins to find info on how to exploit it.

We found the command to escalate our privilege to sudo . Lets find the root flag and accomplish our goal.

As we can see here we got the third and final flag too named root.txt.

Proof of Completion

Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .

Happy Hacking !!

--

--

--

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Explanations regarding TGE

Coronavirus phishing attacks plague the US

What you can do after you hacked a computer? (post-exploitation techniques part-1)

Piillz.com

Password Used Wrongly

WPA/WPA2 Wi-Fi Cracking

USDN pool lottery on curve.fi: Vote and Win! $600k Prize fund!

Higher Security Through Passwordless Authentication

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonty Bhardwaj

Jonty Bhardwaj

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

More from Medium

TryHackMe CVE-2021–41773/42013 Write-up SMN666

TryHackMe-Mobile Malware Analysis | By Subhadip Nag(Mrl0s3r)

VTF - CTF Write-up

Writeup on TryHackMe (THM) Linux Privilege Escalation Capstone Challenge