CyberTutorials.org - TryHackMe- Lian_Yu

Target the server with an nmap scan to reveal running services. Notice that ftp, ssh, and httpd are all running on standard ports. Start by viewing the web server with a browser.

Copy to Clipboard

Ohhh Noo, Don’t Talk……………

I wasn’t Expecting You at this Moment. I will meet you there

You should find a way to Lian_Yu as we are planed. The Code Word is:

Start by running gobuster or an equivalent software or script using the “directory-list-2-3.medium.txt” word list or equivalent list. Notice that we have discovered a sub-directory called “island”.

Copy to Clipboard

If we run another gobuster scan from the /island/ path, we will reveal another sub-directory, “2100”.

Viewing the page source for this file reveals an HTML comment referencing a file extension named “.ticket”.

Next running gobuster from the /island/2100/ path reveals a file ticket file we have been looking for (“xxx.ticket”).

Copy to Clipboard

Download the “xxx.ticket” file and view its contents.

Copy to Clipboard

Take the token found in the xxx.ticket and use base58 to decode it.

Copy to Clipboard

Once you have the decoded result from the xxx.ticket, use its contents to log onto the ftp server using the username collected earlier, “vigilante”.

Copy to Clipboard

After reviewing the file list and hidden directories we see that there is an “aa.jpg” file. Knowing that steghide can be used to attach data to a jpg file (steganography), we will GET that file.

Copy to Clipboard

Lets use “stegseek” which boasts to be the fastest steghide password cracker (rockyou.txt in 2 seconds).

wget https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
sudo apt install ./stegseek_0.6-1.deb
Copy to Clipboard

Notice that the extraction has finished and that an output file named ss.zip has been extracted. Unzip the .out output file and review the contents.

Copy to Clipboard
Copy to Clipboard

Check the FTP server again for another username.

Copy to Clipboard

Using the password discovered in the file “shado” which was extracted with stegseek you will login to ssh as the user “slade”.

You will find the user.txt FLAG after login.

Copy to Clipboard

A review of  slade’s sudo permissions (sudo -l) reveals that this user can execute pkexec as the root user.

pkexec allows an authorized user to execute PROGRAM as another user. If PROGRAM is not specified, the default shell will be run. If username is not specified, then the program will be executed as the administrative super user, root.

ArchLinux.com

Get a root shell.

Copy to Clipboard

Once you have a root shell, find the FLAG under the root user directory.

Jesse Shelley