[EN] TryHackMe — Lian_Yu Write-Up

Hey guys, it’s Anil Celik, a.k.a. your friendly pwner 0xpr0N3rd from TryHackMe. In this walkthrough, I will try to explain the solution of the room named Lian_Yu, which was released few days ago.

As the title of this room says, this is an easy challenge but some parts of it might be a little bit of rabbit hole, so it’s better to be careful while you are trying to solve the room.

First things first, let’s start with nmap:

From our nmap result, we can see that there are 5 ports open: 21, 22, 80, 111 and lastly 55650. Without waiting, let’s start to enumarate the port 80:

When we go to the web service, we are being welcomed by this page. I have checked it’s source code but there was nothing valuable in there. So, as next step, gobuster!

When we hit gobuster, we see that there is an hidden directory named “island”. This might be interesting, we should navigate on this one:

So when we visit the hidden directory, we see some code word in here: “vi*****te”. At this point, I’ve tried to navigate on this code word as an hidden directory, but it didn’t work. This means this information may be useful later. From here, let’s continue with gobuster:

Ah, jackpot! We have found the real hidden directory which was requested to be found on one of the tasks in the room! When we go here, we can see there is something interesting:

You can say that there’s nothing much in here. But wait, have you checked the source code?

This is interesting. It tells us that we can avail our “.ticket” from here, but we don’t know how. This “.ticket” thing might be a file extension, so we should search it by using gobuster one last time. If you don’t know it yet, gobuster has the “-x” parameter, which lets us to search file extensions as well.

When we searched the file with “.ticket” extension, we found something. So, let’s see what it is actually:

Finally, something really interesting, but it is encrypted. We can decode this string by using CyberChef:

Our given string is encrypted using Base-58 format. You can see it by using Magic module of CyberChef after you paste the string in Input box. Since connecting to SSH service is at later steps in this room, we can try the decrypted password for FTP Service. But wait, what is the username? Oh right, we found something like “vi*****te” previously, this might be the username.

OK, so we are in. We see that there are 3 files located in FTP share. To continue, we can download these files by using “get” command:

After downloading them, the file named “Leave_me_alone.png” got my attention, so I will inspect it first:

Hmm, file extension is “.png” but it says there is a “File format error” from exiftool. This means file’s headers might be corrupted, which also means that we should fix it in order to see file’s content. So, let’s use hexeditor:

Yeah, as we can see in the first line, file header is not encoded to be a PNG. To fix this, we can do a quick Google search as “PNG hex header” and find the thing we need:

Yup, let’s edit our file according to this information:

Now we are on right track. File’s header is fixed and file should be opened properly from now on. We can verify whether it is fixed by using exiftool again:

Now, let’s try to open the image:

Hmm, it says the thing we want is “pa*****d”. This means, this image or 2 other images we got from FTP might have some hidden data inside them. First I though the thing I was looking for was in this “Leave_me_alone.png” file but it wasn’t. So, I tried to inspect “aa.jpg” next:

Bingo! When I use the password which I found from “Leave_me_alone.png”, I could extract the hidden info from “aa.jpg”. Let’s unzip this extracted file:

We see that there are two files were in this zip file. Let’s see what are those:

File named “shado” contains the SSH password. OK, so we got the password but we don’t know what is the username. At this point, I’ve tried bunch of things but I couldn’t find it. Later, I realized that I didn’t check FTP directories very well (Thanks to Still ❤) :

See, there’s another user named “s**de”. Now, we can SSH into system:

Let’s find user flag:

We got the user flag. For privilege escalation, before running any scripts, let’s see what we can execute with sudo rights:

Seems like we can use sudo command “/usr/bin/pkexec”, but it does not say “NOPASSWD”. Instead it says “PASSWD”. This means that we should execute the command using “sudo” keyword at the beginning of command. Okay, now let’s find if there is a local privilege escalation exploit for this sudo right:

Seems like there is one exploit which will do the job for us and it is related with race condition. For those who does not know what “race condition” is, it is simply the condition which occurs when two or more threads try to access and process the shared resource at the same time. Our exploit is written in “C language”, so we need to get the code in our local system and compile it as following:

After compiling the exploit, we can send it to the machine and execute it:

Yess, easily rooted. Thanks to Deamon for creating this box, I enjoyed it!

Thank you for reading my write-up, see you on the next one!