Lian Yu
This is a room on the TryHackMe website at: https://tryhackme.com/room/lianyu
I started off by doing an nmap scan:
I then got the following output:
I see 4 ports open. My first idea is to open the main page.
Here, the word "arrow" was bolded, so I saved it, just in case it could mean something later on. I then ran a gobuster command, in order to enumerate the directories on the server. I ran the following command:
In the previous command, the wordlist I am using comes from this github page. I then found a directory called: "is----".
I then ran gobuster again with the addition of the new directory I had found:
I then found another directory called "2---". Looking at the source of this website, I found this:
It is then shown that we need to find a file that has an extension with ".ticket". I then ran gobuster once more, but this time, I ran with an extension:
I then found a file with a .ticket extension.
What I had crossed out in red was a password of some sort. I then had to look at the clue on the TryHackMe Lian_Yu room. This led me to realize that the part crossed out in red was actually the ftp password in a base encoding.
I then went to CyberChef, and was able to crack the password:
This gave me the ftp password. I then had to find the username. At this point, I did get stuck, and consulted this write-up to find out what I missed. I realized that I had overlooked a word on a website. On the IP/is----/ website, I overlooked a word:
This word was in white, and I was unable to see it initially since it matched the background. I then used "vigilante" as the username, and then used the password for the ftp I got earlier. I then got into ftp:
Here I can see 4 files I need to get: The 2 PNGs, the one JPG, and the last file was the ".other user" file. I downloaded all of them using "mget *". This should download all the files to your local directory. Reading the ".other user", I came across this:
Here I can see various names, which could be potential usernames and/or passwords. One main name was "Slade" was what stuck out to me. I got stuck here once again. I then looked at the previous write-up, in order to realize that I had to run "steghide" on the aa.jpg file. When you run steghide, we need a password to extract the data from the aa.jpg file. This is where the Leave-me-alone.png file comes into play. The header for this file is messed up, so we have to edit the header. I found the header online on Wikipedia:
I then edited the header of the file using the "hexeditor":
I was then able to view the file:
This turned out to be the password for the "steghide" command. Running the following command:
Entering the password from the "Leave-me-alone.jpg", I then got the output file:
I then found the password for the ssh server for the user "slade". I then entered those credentials and then I got into the server:
Here my first idea was to run "ls" to find out files in my current directory. I then saw the flag in a "user.txt" file. I then had to upgrade my privileges to root. To do this I ran "sudo -l". This command lets you know what commands our user can do as the root user.
Here it can be seen that the command I can run as root is "pkexec". I then went to https://gtfobins.github.io/ in order to find out how I can use this command to get to root. I then found this webpage:
Running this command, I got to root
Reading the root.txt file, I saw the last flag and was able to complete the box!
Last updated