Lian_Yu (Tryhackme) Room Writeup By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Lian_Yu.
Now first of all we will navigate to the Room URL and join it.
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -t4 10.10.83.248
Now we can see that 4 ports are open and the most promising port we can gather info looks to be port 80.
We go to the main website and found no info of use . So we have to use dirbuster to see additional hidden directories and see if we can gather some info from.
From above dirbuster search we found 2 interesting folders
Lets navigate to both and see what information we can gather . First we will go to /island
From the island webpage we found a Code Word : vigilante and we don't know what this is for.
Now we will see what is in /island/2100/ webpage .
Here we just have a cryptic message saying we can avail “.ticket” here. And here ticket looks like some sort of extension .
So what we can do is run a dirbuster scan on this particular URL and search for a particular extension .ticket .
As we can see form above we have found our webpage which is at location /island/2100/green_arrow.ticket .
Now we will got to this webpage see what info is there
We found some sort of Encrypted Token . Lets use google to find what the encryption is on the Code. After searching we found it to be Base58. Now lets decode it found out the information.
Here we have found our first flag which we will paste in the first question of Tryhackme box.
Now we have both Username and Password for ftp login.
Username : vigilante
Password : !#th3h00d
With these credentials we will login into FTP and find some interesting information about users and some files which we can download .
As we can see found 2 users vigilante and slade and 3 image files . We downloaded the files into our machine and searched them for info. We didn’t gather any info from these images which led us to believe that some of these images might have files hidden in them.
Due to this we use Steghide to try and extract any information we can get.
steghide extract -sf aa.jpg
We left the password field empty when extracting the info and we got a zip file. We the extracted this zip file which gave us 2 more files.
Lets see what information is inside the files.
As we see here in the first file we didn’t find much but in second file we found a text which appear to be some sort of password , most probably of user slade.
Lets try this password with user slade in ssh and find out if it works.
Voila we have successfully logged into user slade. Now in the home directory itself of user slade we found our second flag named user.txt.
Noe lets find more info to escalate our privilege to user root and get our final objective. After searching around we found some hidden files in home directory.
It says to find something named Secret_Mission.
We found the secret mission file but it was nothing of much importance.
Lets see what sudo permission the user got which we can utilize.
Here we found what we were searching for , a program named pkexec with sudo privilege through which we can escalate our privilege to root.
Lets search GTFO bins to find info on how to exploit it.
We found the command to escalate our privilege to sudo . Lets find the root flag and accomplish our goal.
As we can see here we got the third and final flag too named root.txt.
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!