TryHackMe : Lian_yu walkthrough

A write up covering steps taken to solve a beginner level security challenge : lianyu room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine

  1. Connect to TryHackMe by entering command :

sudo openvpn /pathtoOVPNfile.ovpn

2. Start machine in ‘lianyu’ room — target ip address will be displayed in a minute.

Step 2 : Information gathering using Nmap and gobuster

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap result

Open ports:

21 — ftp vsftpd 3.0.2

22 — ssh

80 — http apache

111 — rpcbind 2–4

2. Accessing open ports:

port 80

3. Using gobuster for directory traversal:

gobuster dir -u http://10.10.97.179/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

4. Navigating to found directory /island and viewing the source code:

5. Navigating further through gobuster :

gobuster dir -u http://10.10.97.179/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

6. Navigating to new folder found: Found information on .<foldername> hidden folder

7. Using gobuster with -x flag to find the hidden folder:

gobuster dir -u http://10.10.97.179/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .<dirnameFromabove>

8. Navigating to the above hidden folder and hint is found: which upon searching on google needs to be decoded with base 58

9. Now logging in with initial username found to ftp service:

Try to login with ftp with vigilante username and base 58 decoded password:

ftp <targetip>

ftp login successful

10. Transferring files found from ftp to local:

Also navigating to different folder found other user’s name: It will be useful while logging in through ssh service

11. Using Stegcrack on all transfered files to bruteforce and find password for steghide:

stegcracker <filename>.jpg /usr/share/wordlists/rockyou.txt

12. Using steghide to find the hidden files:

steghide — extract -sf <filename>.jpg

13. Unzip the files to find the password in shado file for ssh login:

14. Login with other user found through ftp login:

ssh <username>@<target ip>

ssh login successful

15. After looking around, found ‘user.txt’ file:

user.txt

16. Checking for privilege escalation:

sudo -l

17. Searching through gtfobins and found below command:

sudo pkexec /bin/sh

18. Found root.txt

root.txt

With these steps, I was able to answer all the questions posted in lainyu room on TryHackMe.

--

--

--

Software Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DFSocial 1st Partner Announcement: Trinity

Creating Kubernetes (k8s) cluster by joining Google Cloud Platform (GCP) Virtual Machines

WHAT ARE IONIC, FLUTTER & REACT NATIVE? WHEN TO USE IT?

Kotlin 101

Functional Shaders: A Colorful Intro-Part5 Tinting With Sepia Tone

Automatically move UITextField and UITextView up/down when keyboard appears with ODScrollView

Building Cross-Platform Desktop Apps with Electron.NET

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HinaK

HinaK

Software Tester

More from Medium

iamjustashell’s hitme,loopme,revme — Crackme Solution + Keygen

Hack the Box | Previse

How to Install IBM Maximo Visual Inspection Edge with RHEL OS on Server x86 ?

Access personal system through RDP from anywhere via OpenVPN Cloud