THM Writeup: Lian Yu CTF

THM Writeup: Lian Yu CTF

Setup your VPN to tryhackme VPN and startup the target machine and let’s get started.
Scanned the target IP with Nmap and found 4 open ports.

Now that we have found port 80 open we know that there is a web server running.

Now to scan for any directories on the webserver. I used gobuster with the wordlist of common.txt (Dirb default wordlist).

I couldn’t find much useful info. So I used another wordlist (dirbuster directory-list-2.3-medium.txt).

So I opened the directory found this.

I viewed the source code and found that something is hidden in white text. Looks like some sought of username.

Meanwhile, I continued the gobuster scan against the /island directory.

and found another directory of a 4 digit number. Here’s how it looked.

Don’t forget to view the source code

If we take a look at the hints of flag 3 you’ll need a 6 digit extension.

Now to brute force with gobuster by specifying the extension type in our case the extension called .ticket

Found it !!!

If you take a look at the hints for challenge #4 then you’ll find this.

CyberChef is a web app for encryption, encoding, compression, and used to do data analysis.

The piece of text we found earlier “RTy8yhBQdscX” was a base58 encoded string. So I decoded it and found the solution for challenge #4.

I successfully logged in to the target server with the credentials I found.

Found 3 image files and some other interesting files as well. So let’s download them to our local machine to do further analysis.

I went through each file one after another to find any interesting things. I tried to go through .other_user with the intention of finding another user in addition to the FTP username I found earlier. So I cat out of the .other_user file and I found the story of Slade Wilson it might be a username so I ignored it for the time being.

Then I found that there was an error when trying to open the Leave_me_alone.png image file.

So I tried to search for the file type of Leave_me_alone.png. I can easily use the “file” command for this purpose.

Looks like the png image file is a data file, Which means that this file contains encoded/unprintable characters. I also tried to get what is the file signature of this file aka the file magic number. To find the magic number of a file I simply used “xxd” command to get the hex dump of the file and piped it to the “head” command to view only the top portion of the output.

I found out that the magic number of the current file is not matching to the magic number of a normal png file which looks like this.

(Got from https://en.wikipedia.org/wiki/List_of_file_signatures)

I use the default kali hex-editor CLI tool to edit the hex values of the corrupted png file
hex-editor Leave_me_alone.png .

when I looked at the file type and now it shows the correct file type.

Perfect… Now l to view the png file and I got this

Steghide is a tool used to embed or extract hidden data to/from an image. When I tried to extract data from aa.jpg it prompted for a password entry so I ignore it for the moment. But now hopefully I found the password from the Leave_me_alone.png image I can extract the data from the aa.jpg image and I Manged to extract a zip file there were 2 files.

I found the ssh password

Now that I was having 2 usernames and 1 password it’s time to test them out by logging into the system with ssh. Hopefully, one username worked.

Now to find the user flag

Awesome user flag Found !!!
I also found a file called. Important and I read it.

It says something about a file called Secret_Mission. So let’s find it. I navigated to the root directory and used the “locate” command to search for any file named Secret_Mission.

“superpowers do you need just go find it” Surprisingly reminded me of “sudo” command.

This says that user slade can execute /usr/bin/pkexec program with root privileges without entering the root password. I read the man page of pkexec program (man /usr/bin/pkexec).

This program helps to execute commands as another user in our case root user. So let’s do it. I executed the program as the root user and then entered the command for the pkexec program to execute in my case I wanted to run /bin/bash as root which gives me a shell with root privileges.

Got the root flag finally …

If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

Notify of
Inline Feedbacks
View all comments