TryHackMe room Lian_Yu is based on the Arrow TV show. This room involves steganography, enumeration, and Privilege escalation. You can access this room here.
Scanning the IP address with nmap
nmap -sS -sV -A <THM-ip>
As we see there are 4 ports open on the target machine (21,22,80,111) as there is port 80 open so checked out the webpage.
Running gobuster against the target to discover web directories
gobuster dir -u <THM-IP> -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-20000.txt
The results showed a web directory /island. Seclists GitHub linked below.
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security…
Checking /island directory
There is much useful information here so checking the source code.
Found a hint vigilante which might be helpful in later stages.
Again ran gobuster brute forcing on /island directory
gobuster dir -u <THM-IP/island> -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-20000.txt
The results showed a directory by the name /2100. Checking the IP/island/2100 directory.
Nothing useful here so let's look at the source code.
Here is a hint that there might be a hidden directory .ticket
Running gobuster again but now with specific parameters i.e. -x to specify the file extension.
gobuster dir -u <THM-IP> -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-20000.txt -x .ticket
this showed that there is a directory by the name of /green_arrow.ticket. This showed some random text.
This was a BASE58 encoded string. On decoding it resulted in something can potentially be used a password.
We saw that there was a FTP service on port 21. So let,s try to login using the credentials we have found.
ftp <IP> 21
looking around found some images that could have some data hidden within them.
Downloading the images to the host computer.
looking around we see that there is another user Slade
using steghide to extract the hidden data within the image.
steghide extract -sf aa.jpg
It needs a passphrase so used the stegcracker tool Bruteforce the password
stegcracker aa.jpg /usr/share/wordlists/rockyou.txt
Successfully cracked the password
Using the password extract the hidden data and checking the files.
Looks like shado file data is a password.
As we have an ssh service also, let's try to login into that with username — slade and password — M3tahuman
And Voila!!!! we logged in successfully
Now we need to escalate our privileges to the root user to get the final flag.
Checking what commands we can run with root privileges
Here we see we can run the pkexec command with root privileges . checking GTFObins for priv-esc command.
sudo psexec /bin/sh
AND finally, we have the flag.
If you found this helpful consider leaving some claps :)