Lian_Yu

November 29, 2022

TryHackMe | Lian_YuTryHackMe

Deploy the VM and Start the Enumeration.

For enumeration, I found these open ports of interest:

Next, I used gobuster to look for directories.

gobuster dir -u http://<ip>/ -w /usr/share/dirb/wordlists/big.txt This gives us the directory /Island

The webpage attempts to hide the codeword by making it blend in with the background.

We have a codeword, however, we should enumerate the directories further.

What is the Web Directory you found?

Using gobuster on /island gives us another directory. I did need to change the wordlist though to find it.

gobuster dir -u http://<ip>/island -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

This would give us the directory /2100. This link had a broken YouTube link, but contained an important note inside the webpage.

What is the file name you found?

/2100 mentions a .ticket extension here. This led me to believe there was another directory/file with this extension that could be enumerated further.

gobuster dir -u http://<ip>/island/2100 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .ticket

The gobuster command resulted in this page: http://<ip>/island/2100/green_arrow.ticket

What is the FTP Password?

This was rejected as a password and upon using the THM hint I used cyberchef to unmask its contents. I had to use a base 58 decoder which was certainly new for me. This gave me the password "!#th3h00d".

Now that we have a password we can use that in combination with the codename for ssh or ftp.

What is the file name with SSH password?

The codename and first password found are used to access ftp.

While looking through ftp we find some images and other files.

Important note: use ls -a to see the file .other_user

You can also view other users' directories with ls .. to see the name of our other user, "slade".

Next, we use get to transfer the files and pictures from ftp.

I used steghide --info aa.jpg and this prompted a password.

I got stuck here for a bit, and needed to research how to beat this steg challenge. I found something about magic numbers and this was a great deal of help.

Working with Magic numbers in Linux - GeeksforGeeksGeeksforGeeks

This bit helped identify if an image had been altered and what someone could do to repair the alterations. First I used xxd Leave_me_alone.png since it was the only image not working. This revealed that the magic numbers were incorrect from a standard .png file.

With that information, I used hexeditor Leave_me_alone.png to adjust the first line.

This allowed the image to open with a password.

Finally, I used this password with steghide extract -sf aa.jpg and unzipped the contents of the hidden file to find a file name and password for slade.

user.txt

Use the credentials for slade with ssh to read user.txt.

root.txt

This was a simple privilege escalation. I just used sudo -l to see current privileges and went to gtfobins to use sudo pkexec /bin/sh to gain root privileges.