TryHackMe | Lian_YU Walkthrough

Prateek Parashar
4 min readMay 19, 2021

--

Introduction

TryHackMe room Lian_Yu is based on the Arrow TV show. This room involves steganography, enumeration, and Privilege escalation. You can access this room here.

Reconnaissance

Scanning the IP address with nmap

nmap -sS -sV -A <THM-ip>

As we see there are 4 ports open on the target machine (21,22,80,111) as there is port 80 open so checked out the webpage.

Scanning

Running gobuster against the target to discover web directories

gobuster dir -u <THM-IP> -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-20000.txt

The results showed a web directory /island. Seclists GitHub linked below.

Checking /island directory

There is much useful information here so checking the source code.

Found a hint vigilante which might be helpful in later stages.

Again ran gobuster brute forcing on /island directory

gobuster dir -u <THM-IP/island> -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-20000.txt

The results showed a directory by the name /2100. Checking the IP/island/2100 directory.

Nothing useful here so let's look at the source code.

Here is a hint that there might be a hidden directory .ticket

Running gobuster again but now with specific parameters i.e. -x to specify the file extension.

gobuster dir -u <THM-IP> -w /usr/share/wordlists/Seclists/Discovery/DNS/subdomains-top1million-20000.txt -x .ticket

this showed that there is a directory by the name of /green_arrow.ticket. This showed some random text.

This was a BASE58 encoded string. On decoding it resulted in something can potentially be used a password.

!#th3h00d

We saw that there was a FTP service on port 21. So let,s try to login using the credentials we have found.

ftp <IP> 21

username -vigilante

password- !#th3hood

looking around found some images that could have some data hidden within them.

Downloading the images to the host computer.

looking around we see that there is another user Slade

Steganography

using steghide to extract the hidden data within the image.

steghide extract -sf aa.jpg

It needs a passphrase so used the stegcracker tool Bruteforce the password

stegcracker aa.jpg /usr/share/wordlists/rockyou.txt

Successfully cracked the password

Using the password extract the hidden data and checking the files.

Looks like shado file data is a password.

As we have an ssh service also, let's try to login into that with username — slade and password — M3tahuman

And Voila!!!! we logged in successfully

Privilege Escalation

Now we need to escalate our privileges to the root user to get the final flag.

Checking what commands we can run with root privileges

sudo -l

Here we see we can run the pkexec command with root privileges . checking GTFObins for priv-esc command.

sudo psexec /bin/sh

AND finally, we have the flag.

If you found this helpful consider leaving some claps :)

--

--

Prateek Parashar

Computer Science graduate who is passionate about CyberSecurity. An IoT and Crypto enthusiast.