[Write-up]: Lian_Yu Machine On TryHackMe

Hi there,
I’m here with a post about walk-through of Liyan_Yu machine on TryHackMe. The aim of this room is to teach you to how to use gobuster, steganography and privilege escalation. This room seems easy, but some steps take a little time for solving.

Let’s start with nmap scanning to establish the open ports.

Nmap Scanning

1
nmap -sV -sC -T4 <your-machine-ip>

From nmap result, There are 4 ports open that are 21, 22, 80 and 111.

Nmap Result

When we go to web site, following page welcome us. I checked source code and didn’t any valuable information - We can just learn information about site owner that s/he like arrow series. :) - then enumareted the directories of the host by gobuster.

welcomedpage

Gobuster Directory Scanning

1
gobuster dir -u <url> -w <word_list>

gobuster

From gobuster result, We can see hidden directory name (lian_yu is tip!!!). When We go to hidden directory and examine source code of the page, we find a word and note that it will be used next step.

hiddendir1

After visiting hidden page, i tried second dir search under first hidden directory with gobuster.

hiddendir2

From second gobuster result, we find second hidden directory. When we visit the page, This youtube video welcome us. As per usual, I checked source code of the page. There is a comment as tip in source code.

hiddendir3

It give us extension. Under this directory, I tried last :) dir search with gobuster but this time I added gobuster extension.

1
gobuster dir -u <url> -w <word_list> -x <extension>

lasthidden

When we visit the last hidden page, we is being welcomed with a token.

token

FTP Login

I assumed token as password and tried for FTP and SSH login. Unfortunately, it was not success. I help in this step. The token is encoded by Base58. After decoding token, I got password. This time I used for FTP and SSH login with following usernames.

  • lianyu
  • arrow
  • oliver
  • ollie
  • word which was found in firs gobuster result. [REDACTED] - It is correct username for FTP.

When we connect FTP, we see three following images current directory in current directory. In addition, when we go to previous directory, we can see directories as named with username. Note that usernames for using next steps.

  • aa.jpg
  • Leave_me_alone.png
  • Queen’s_Gambit.png

ftpls

Image examine with ExifTool and Steghide

After ftp connection, I downloaded image files to my local. Firstly, I examined all images with ExifTool. Leave_me_alone.png’s has file format error. It can’t open with image viewer.

leavmepng

After a bit searching, I opened Leave_me_alone.png’s with hexeditor and realized that file signatures (also known as magic number or magic bytes) was not correct.

fileformaterror

First 16 bytes must be [89 50 4E 47 0D 0A 1A 0A] I changed them and saved. When I open picture again, there was a password.

leavmecorrect

At this point, I used Steghide tool on each picture and found ss.zip file in aa.jpg as hidden then extracted ss.zip file from it with using found password on Leave_me_alone.png. So, We have two files as passwd.txt and XXXX [REDACTED]. I couldn’t find necessary information in passwd.txt. However, I tried username which was found in FTP connection and used the data in this file for as password for SSH login.

steghide

SSH Login - [User FLAG]

When we login with SSH, we can obtain the user flag in user.txt

ssh

Privilege Escalation - [Root FLAG]

Firstly, I cheked files which have sudo rights with bash sudo -l command. (root) PASSWD: /usr/bin/pkexec can be run with root privileges. Directly, I searched pkexec file on gtfobins for privilege escalation and found pkexec /bin/bash command.

When we run this command pkexec /bin/bash , we get root shell.

root

Thanks for reading. Also, thanks to Daemon for informative room!

See you for next blog post!