Welcome to Neehack Blogs

Lian Yu Tryhackme walkthrough


Nmap results:

# Nmap 7.92 scan initiated Tue Oct 25 20:12:56 2022 as: nmap -p 1-1024 -oA nmap_basic 10.10.38.140
Nmap scan report for 10.10.38.140
Host is up (0.12s latency).
Not shown: 1020 closed tcp ports (reset)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind

# Nmap done at Tue Oct 25 20:12:59 2022 -- 1 IP address (1 host up) scanned in 2.40 seconds

As you can see http is listening on port 80. So lets try to perform a directory scan using dirbuster:

http://10.10.38.140/
http://10.10.38.140/server-status

http://10.10.38.140/island => http://10.10.38.140/island/
http://10.10.38.140/island => http://10.10.38.140/island/2100/

Looking at http://10.10.38.140/island/, we can there is an html “h2” tag with white color.

LIan Yu FTP username

Hmm, /island/2100/ seems interesting as well. Visiting the page source we see a comment recommending “.ticket”

Lian yu tryhackme .ticket extension

So lets try to use gobuster -x option to scan for files using .ticket extension.

bash$ gobuster dir -u http://thm.ip/island/2100/ -x .ticket -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

/green_arrow.ticket

Would you look at that, “/green_arrow.ticket” file were found. Lets see what it contains.

This is just a token to get into Queen's Gambit(Ship)

RTy8yhBQdscX

Looks like an encoded value. We can decode it using base58 using cyberchef.

Using the username we found above on the html “h2” tag and above base58 decoded value, we can authenticate to FTP Server.

Lian Yu FTP Files

FTP Server contains the above listed image files and since .jpg is a supported stegcracker file type, we see if there is anything hidden on the image.

bash$ stegcracker aa.jpg

The output is written to aa.jpg.out, and running file against the file, says it is a zip file. We can unzip using the unzip tool as below:

bash$ unzip aaa.jpg.out
Archive: aaa.jpg.out
    inflating: passwd.txt
    inflating: shado

Note: Leave_me_alone.png file is missing the magic bytes, if you want you can fix that too. But it is not needed for this box.

Other than, there are other hidden files in the FTP server not listed above, one is .other_user which contains:

Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he had been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training

First thing we see, is a person by the name of Slade Wilson, so we try to authenticate to SSH using it as the username and the password we found in shado file.

Lian Yu SSH

Aha, would you look at that, we got user.

Running “sudo -l” tell us that we can run pkexec as sudo. With pkexec we can run /bin/sh as root.

Lian Yu tryhackme Root

GG.


Leave a Reply

Your email address will not be published.