# Lian-Yu ![](/files/-MbNTLCaeo_g3J3Pg3kb) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.26.138 ``` ![](/files/-MbNUl5bGwLAI5Cu6GGh) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80,111 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 21,22,80,111 -oN nmap 10.10.26.138 ``` ![](/files/-MbNV0cEi2J7jWg32rOu) ## Enumeration ### Port 80: HTTP Lets visit the website ![](/files/-MbNVVRYhxEctjYr6qC4) Its an introduction to the series `The Arrow` (I personally recommend you to watch it, its really good). Nothing of interest, we do have possible usernames, so lets add that to our notes. ![](/files/-MbNWCczRWmrI7jYnjZP) Now lets run gobuster to find hidden directories or file on the webserver. I tried few wordlists, but nothing showed up except this one (`directory-list-2.3-small.txt`) ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.26.138/ ``` ![](/files/-MbNYHfx0xgM5-Y9ei2I) Lets visit this page. ![](/files/-MbNYNZGGQvD-eIBIVL8) We don't see the code word they talk about, so lets go to the source page and see if it is there. ![](/files/-MbNY_iKPlg0GV8VR06V) We found something interesting, it looks like a username, lets add it to our possible usernames list. ![](/files/-MbNeOOnIQSVD8mK8KIv) Lets now run a gobuster on the directory we found. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.26.138/island ``` ![](/files/-MbNZlycn2Un83UrdO6X) We found a directory (also the answer to the third question) , lets go explore it. ![](/files/-MbNcfWRyOUTT7dWDKr1) ![](/files/-MbNZtn2m00bgXPhqNHs) Its a page with a video that does not load, lets look at the source code. ![](/files/-MbN_-96N2k9ZGGTEBep) It says you can avail your `.ticket`, which looks like a extension, so why don't we use gobuster to find files with the extension `.ticket`. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.26.138/island/2100 -x php,html,.ticket ``` ![](/files/-MbNdPvZvalzXfeYQCqH) We found a file called `green_arrow.ticket` which is the answer to the third question. ![](/files/-MbNcj9H72ROenfnfBL2) Lets go visit this page. ![](/files/-MbNcqViDplRyyVMMU7a) Looks like some sort of code, lets crack it using Crackstation ![](/files/-MbNdgsoomsR3cNTRtV1) `!#th3h00d` , this might be the password for ftp on this machine, lets go check it out. This is also the answer to the fourth question. ![](/files/-MbNdzAwlVyrsIreCP-X) ### Port 21: FTP We found the username `vigilante` a few steps back so lets try to login with these credentials. `Username: vigilante` `Password: !#th3h00d` ``` ftp 10.10.26.138 ``` ![](/files/-MbNebQzA__8FTVLlaeT) Lets list the file in the ftp server. ![](/files/-MbNf06Sobmh-DZaUdeN) It looks like we have 3 files, lets transfer them all to our machine using the command get ``` get ``` ![](/files/-MbNfGwDu0400dOIn1_1) We can also see another file called `.other_file` ![](/files/-MbNl8hZdBr4D3VpmJmZ) Lets transfer this file too. ``` get .other_file ``` ![](/files/-MbNlI5GdRS0CRM2CjhM) Lets read the file ``` cat .other_file ``` ![](/files/-MbNm0F9ePdE58URGLSY) From this file, we can say that `slade`can be another username Lets also try to see the image files. For some reason we cannot open the file `Leave_me_alone.png`, it may have some errors, so lets look at the hexdump to check if it has any errors. Lets use the command xxd for this task. ``` xxd Leave_me_alone.png > hexdump ``` Lets read the file ![](/files/-MbNgfcZlQ4Jd-AvJzdP) Looking at the first line, we can see some errors as the first 16 characters of a png file should be: 89 50 4E 47 0D 0A 1A 0A. So lets change that. To change these numbers, we can use the tool `hexeditor`. ``` hexeditor Leave_me_alone.png ``` ![](/files/-MbNhgbRwLdnzzWqryCa) Now lets change it. ![](/files/-MbNiH7k0UGi91x8GoZ-) Now save it with `(Ctrl + x)`. We can now see the image. ![](/files/-MbNi_u3tsS5_MbujFkf) It looks like we found a password which is `password` Lets now explore the other files. We can use steghide to find hidden files in files. ``` steghide --extract -sf aa.jpg ``` ![](/files/-MbNjA8Hg3uRVMFQosKS) They ask a password , and we found a password which is `password`. We now have zip file called `ss.zip`. Lets unzip it and check what is contains. ``` unzip ss.zip ``` ![](/files/-MbNjkbW69moKJmcGDcY) Looks like we have two new files called `passwd.txt` and `shado`. Lets read them ``` cat passwd.txt ``` ![](/files/-MbNk-j2QamSUcF_Kz6e) Nothing of interest. Lets read the other file ``` cat shado ``` ![](/files/-MbNkHWeU-tV27cJcLbM) This looks like the password for ssh. Lets login with the username `slade` that we found a while back and the password `M3tahuman` we just found. ``` ssh slade@10.10.26.138 ``` ![](/files/-MbNmYL0ODzeOZLpEA9I) And we are logged in! We can go get the user flag. ![](/files/-MbNmedSW4M_in8CCvFt) Now we can answer questions 5 and 6 ![](/files/-MbNmrUpJs2lf1C6RrOZ) ## Privilege Escalation Lets run `sudo -l` to see what we can run as other users. ``` sudo -l ``` ![](/files/-MbNn8k9pDOJoVnw9u3J) We can run `/usr/bin/pkexec` as root, lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/pkexec/#sudo)to find the command to privilege escalate to root. They command they used is ``` sudo pkexec /bin/sh ``` ![](/files/-MbNnThiUdc-JTu_fGn8) We are now root, we can go to `/root` directory and read the root.txt file which is the answer to the last question of this room. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/lian-yu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.