[Write-up]: Lian_Yu Machine On TryHackMe

Hi there,
I’m here with a post about walk-through of Liyan_Yu machine on TryHackMe. The aim of this room is to teach you to how to use gobuster, steganography and privilege escalation. This room seems easy, but some steps take a little time for solving.

Let’s start with nmap scanning to establish the open ports.

Nmap Scanning

nmap -sV -sC -T4 <your-machine-ip>

From nmap result, There are 4 ports open that are 21, 22, 80 and 111.

Nmap Result

When we go to web site, following page welcome us. I checked source code and didn’t any valuable information - We can just learn information about site owner that s/he like arrow series. :) - then enumareted the directories of the host by gobuster.


Gobuster Directory Scanning

gobuster dir -u <url> -w <word_list>


From gobuster result, We can see hidden directory name (lian_yu is tip!!!). When We go to hidden directory and examine source code of the page, we find a word and note that it will be used next step.


After visiting hidden page, i tried second dir search under first hidden directory with gobuster.


From second gobuster result, we find second hidden directory. When we visit the page, This youtube video welcome us. As per usual, I checked source code of the page. There is a comment as tip in source code.


It give us extension. Under this directory, I tried last :) dir search with gobuster but this time I added gobuster extension.

gobuster dir -u <url> -w <word_list> -x <extension>


When we visit the last hidden page, we is being welcomed with a token.


FTP Login

I assumed token as password and tried for FTP and SSH login. Unfortunately, it was not success. I help in this step. The token is encoded by Base58. After decoding token, I got password. This time I used for FTP and SSH login with following usernames.

  • lianyu
  • arrow
  • oliver
  • ollie
  • word which was found in firs gobuster result. [REDACTED] - It is correct username for FTP.

When we connect FTP, we see three following images current directory in current directory. In addition, when we go to previous directory, we can see directories as named with username. Note that usernames for using next steps.

  • aa.jpg
  • Leave_me_alone.png
  • Queen’s_Gambit.png


Image examine with ExifTool and Steghide

After ftp connection, I downloaded image files to my local. Firstly, I examined all images with ExifTool. Leave_me_alone.png’s has file format error. It can’t open with image viewer.


After a bit searching, I opened Leave_me_alone.png’s with hexeditor and realized that file signatures (also known as magic number or magic bytes) was not correct.


First 16 bytes must be [89 50 4E 47 0D 0A 1A 0A] I changed them and saved. When I open picture again, there was a password.


At this point, I used Steghide tool on each picture and found ss.zip file in aa.jpg as hidden then extracted ss.zip file from it with using found password on Leave_me_alone.png. So, We have two files as passwd.txt and XXXX [REDACTED]. I couldn’t find necessary information in passwd.txt. However, I tried username which was found in FTP connection and used the data in this file for as password for SSH login.


SSH Login - [User FLAG]

When we login with SSH, we can obtain the user flag in user.txt


Privilege Escalation - [Root FLAG]

Firstly, I cheked files which have sudo rights with bash sudo -l command. (root) PASSWD: /usr/bin/pkexec can be run with root privileges. Directly, I searched pkexec file on gtfobins for privilege escalation and found pkexec /bin/bash command.

When we run this command pkexec /bin/bash , we get root shell.


Thanks for reading. Also, thanks to Daemon for informative room!

See you for next blog post!