Lian_Yu
A beginner level security challenge
This is the write up for the room Lian_Yu on Tryhackme and it is part of our cybersecurity training from HackerU .
Firstly we have to make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
Task 1:
First deploy the machine after that we will get the Target system IP.
Once the machine is booted up then will move to our other Task.
To check how many services are running we have to run Nmap scan.
nmap -sS -sV -A 10.10.175.187
-sS (TCP SYN scan)
-sV (Version detection)
-A (Aggressive scan options)
From scan we can see that 3 ports are open which are port 22,port 80 and port 111.
Task 2:
we have to do little enumeration like looking for some information in website as port 80 is open.
so we directly visited the site we didnt found any information so did gobuster to check if there is any hidden directory where we can find some information or clue.
gobuster dir -u URL -w /wordlist path/ -t no. of threads(max64)
from the above scan found that there is a island directory so went to that directory.
*Note :- Target IP changed as the THM machine was closed due to time limit it has.We have to check the time and add extra time if required.
here we found some clue might be user name so took note of it. As it was written the code word is and we have to complete it so searched again for any directory and found 2100 directory using gobuster scan.
Here we got the answer for our task.
Task 3:
As we completed task 2 we move to our next task to find the file name.
From gobuster we found that we can avail “.ticket” from here but how in source code of page. so again did gobuster. And found green_arrow.ticket where we found some encoded text.
Thus we got our answer for task 3.
Task 4:
As we completed task 3 we move to our next task to find the password for ftp.
As we found a clue we searched for its decoded text using cyberchef https://gchq.github.io/CyberChef/# and converted it we found the password for ftp.
Task 5:
As we got the ftp password will move toward our next task to find file name with ssh password. For this will have to login using ftp and search some file and do enumeration.
As seen above we were able to login using the ftp credentianls.
username :- vigilante
password :- !#th3h00d
And we got 3 image file which have some information so we have to decode the message from the image for this will have to use toll like stegcraker and steghide.
From stegcracker we got the password for the aa.jpg image file which will use while extracting using steghide.
We got a zip file after exxtarcting the aa.jpg image and after unzipping the file we got to files passwd.txt and shado.
On opening both file we got password for ssh might be for the other user we got during ftp enumeration.
From this we got the password for ssh in shado file .Which is the answer ofr our task.
Task 6:
As we completed our task will move towards next rask that is to find the user flag. For this will login ssh using the credentials we got.
user :- slade
password:- M3tahuman
We successfully logged is using the credential and were able to find the user flag and answer for our task.
user flag :- THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N’T}
Task 7:
As we completed the task we move towards our last task that is to get root flag.For this we have to get privileged user (root) access .
For this we serached if this user has any sudo previlege for any application and found pkexec has root privilege so searched for this in gtfobins and found a command to get root shell.
As seen above we were able to get privilege user access and able to get the root flag which is answer for our last task.
root flag :- THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I’LL_BE_D34D}
Thus we successfully able to crack the box get privilege escalation and got root access and captured both the flag.