I’m here with a post about walk-through of Liyan_Yu machine on TryHackMe. The aim of this room is to teach you to how to use gobuster, steganography and privilege escalation. This room seems easy, but some steps take a little time for solving.
Let’s start with nmap scanning to establish the open ports.
nmap -sV -sC -T4 <your-machine-ip>
From nmap result, There are 4 ports open that are 21, 22, 80 and 111.
When we go to web site, following page welcome us. I checked source code and didn’t any valuable information - We can just learn information about site owner that s/he like arrow series. :) - then enumareted the directories of the host by gobuster.
gobuster dir -u <url> -w <word_list>
From gobuster result, We can see hidden directory name (lian_yu is tip!!!). When We go to hidden directory and examine source code of the page, we find a word and note that it will be used next step.
After visiting hidden page, i tried second dir search under first hidden directory with gobuster.
From second gobuster result, we find second hidden directory. When we visit the page, This youtube video welcome us. As per usual, I checked source code of the page. There is a comment as tip in source code.
It give us extension. Under this directory, I tried last :) dir search with gobuster but this time I added gobuster extension.
gobuster dir -u <url> -w <word_list> -x <extension>
When we visit the last hidden page, we is being welcomed with a token.
I assumed token as password and tried for FTP and SSH login. Unfortunately, it was not success. I help in this step. The token is encoded by Base58. After decoding token, I got password. This time I used for FTP and SSH login with following usernames.
- word which was found in firs gobuster result. [REDACTED] - It is correct username for FTP.
When we connect FTP, we see three following images current directory in current directory. In addition, when we go to previous directory, we can see directories as named with username. Note that usernames for using next steps.
After ftp connection, I downloaded image files to my local. Firstly, I examined all images with ExifTool. Leave_me_alone.png’s has file format error. It can’t open with image viewer.
After a bit searching, I opened Leave_me_alone.png’s with hexeditor and realized that file signatures (also known as magic number or magic bytes) was not correct.
First 16 bytes must be [89 50 4E 47 0D 0A 1A 0A] I changed them and saved. When I open picture again, there was a password.
At this point, I used Steghide tool on each picture and found ss.zip file in aa.jpg as hidden then extracted ss.zip file from it with using found password on Leave_me_alone.png. So, We have two files as passwd.txt and XXXX [REDACTED]. I couldn’t find necessary information in passwd.txt. However, I tried username which was found in FTP connection and used the data in this file for as password for SSH login.
When we login with SSH, we can obtain the user flag in user.txt
Firstly, I cheked files which have sudo rights with
bash sudo -l command. (root) PASSWD: /usr/bin/pkexec can be run with root privileges. Directly, I searched pkexec file on gtfobins for privilege escalation and found
pkexec /bin/bash command.
When we run this command
pkexec /bin/bash , we get root shell.
Thanks for reading. Also, thanks to Daemon for informative room!
See you for next blog post!