TryHackMe : Lian_yu walkthrough

A write up covering steps taken to solve a beginner level security challenge : lianyu room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine

  1. Connect to TryHackMe by entering command :

sudo openvpn /pathtoOVPNfile.ovpn

2. Start machine in ‘lianyu’ room — target ip address will be displayed in a minute.

Step 2 : Information gathering using Nmap and gobuster

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap result

Open ports:

21 — ftp vsftpd 3.0.2

22 — ssh

80 — http apache

111 — rpcbind 2–4

2. Accessing open ports:

port 80

3. Using gobuster for directory traversal:

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

4. Navigating to found directory /island and viewing the source code:

5. Navigating further through gobuster :

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

6. Navigating to new folder found: Found information on .<foldername> hidden folder

7. Using gobuster with -x flag to find the hidden folder:

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .<dirnameFromabove>

8. Navigating to the above hidden folder and hint is found: which upon searching on google needs to be decoded with base 58

9. Now logging in with initial username found to ftp service:

Try to login with ftp with vigilante username and base 58 decoded password:

ftp <targetip>

ftp login successful

10. Transferring files found from ftp to local:

Also navigating to different folder found other user’s name: It will be useful while logging in through ssh service

11. Using Stegcrack on all transfered files to bruteforce and find password for steghide:

stegcracker <filename>.jpg /usr/share/wordlists/rockyou.txt

12. Using steghide to find the hidden files:

steghide — extract -sf <filename>.jpg

13. Unzip the files to find the password in shado file for ssh login:

14. Login with other user found through ftp login:

ssh <username>@<target ip>

ssh login successful

15. After looking around, found ‘user.txt’ file:


16. Checking for privilege escalation:

sudo -l

17. Searching through gtfobins and found below command:

sudo pkexec /bin/sh

18. Found root.txt


With these steps, I was able to answer all the questions posted in lainyu room on TryHackMe.




Software Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

My Reading List for Developers and Startuppers

Q1 2020: Success During Hard Times

Chiptuning | Tuning Files

Flutter and Audio-QR implementation

Rebuilding the BBC moderation platform

Class and Objects in Java with Real-time examples

NumFOCUS Earns Gold Recognition from GuideStar

Kids coding languages

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Tester

More from Medium

Execution Engine in JVM

String MatchingUsing KMP Algorithm

Chilli Pickle

TryToHackMe — Simple CTF