• Kaushal Patel

TryHackMe: Lian_Yu Walkthrough


Introduction

Hello Readers.Today I am going to crack other machine named Lian_Yu -TryHackMe. This machine has challenges which you will come across and that is Steganography, source code and privilege escalation.


You can access this machine directly from this url: https://tryhackme.com/room/lianyu.



Deploy

Let’s get started... !

First, deploy the machine and establish connection with VPN for accessing TryHackMe network.


Reconnaissance and findings

The next step is to find some information about the remote machine as the services, versions. To do that, I used this following command:

nmap <IP>


From the above screenshot, there are four ports open (21, 22, 80 and 111).


As port 80 is opened we should check it with web browser.



Now that we know the target is running a web server we should go for directory brute force attack using ffuf tool.


You can use dirbuster, dirb and gobuster too but I like to use ffuf. Check the snapshot for command.

If found directories returns a 20x or 30x status code, then we know something is there. Well, as per the scan result, we found /island directory with status: 301.

Now, let’s check the /island directory.

If you don’t get any clue then dig deeper, view the source code of this web page….

I thought we could get some code or clue for next step but instead I got some hint (vigilante) which could help me later. Again, I performed directory brute force attack with /island directory to see what’s available. I used this following command:


As per the scan result, we found /2100 directory with status code: 301.

Well that is strange! Just a video and nothing else as a clue. Let's view the source code of the above web page.


This suggests to me there is a file with a. ticket extension, so I ran FFUF this time to identify this hidden file. FFUF is a fast web fuzzer. Allows fuzzing of HTTP header values, POST data, and different parts of URL, including GET parameter names and values. The command I used is:


This time the scan results we found /green_arrow directory with status: 200 which is a good sign and we are right back on track.

Let's check out this web page.

Well, this is BASE 58 encoded string. Decode it by searching for an online decoder on Google & you will get the password.

Link: https://www.browserling.com/tools/base58-decode


Decoded value as shown in below snapshot.



As we saw earlier in our nmap scan that we had PORT 21 open. So let’s try logging in FTP using this password.

Enter the following command to connect to FTP:

ftp <IP>

Enter the Username (The secret code you found earlier) & Password to login.


By typing ls -al you can see the list of files in ftp server. We can download those files to our machine by type this command:

get <file name> (get all files to your local machine).


Steganography

Steganography is a very complex topic & it has a lot of tools & every tools has its own different, specific use. We need to do trial & error method to find hidden content.

Here, I used steghide tool to extract the details from the image file but, it is password protected.

steghide extract -sf <image file>


To crack the password of the image file, I used stegcracker tool.

stegcracker <image file> /usr/share/wordlists/rockyou.txt

After logging in successfully, I found a .zip file. When you unzip that file just like shown in the below snapshot, you will get two files and they are passwd.txt and shado.

Read those two files with command cat <file> one by one.

This machine will literally test your patience. Again, no clue but let’s check another file shado.


I just found out that the username was slade in. other_user file.

Finally! the shado file contains a password. I can now try to SSH with the two users and this password:

ssh <username>@machine IP

After successfully logged in, we can easily get the user.txt flag.

But, to get the root.txt flag we should get logged in as root user.

Privilege Escalation

Now it’s time for Privilege Escalation. Type “sudo -l” to see if we can run any command with root privileges.


Looks like we can run pkexec with root privileges. Therefore, we are going to run /bin/sh program as root & get the root access. Enter the following command:

sudo pkexec /bin/sh

We have successfully completed the room!!

This was a fun to root machine and good for beginners. Thank you for reading...


Happy Learning !!

  • Twitter
  • Facebook
  • LinkedIn

This blog is for those who are beginner in Cyber Security . ​Please Subscribe for more update

© 2021 by CyberMetrix