TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs. Whether you are an expert or beginner, learn through a virtual room structure to understand theoretical and practical security elements.
Lian_Yu is an easy CTF on TryHackMe for beginners to explore.
You have to first signup to join the room. There are few simple steps that you can follow in the Signup page. Next follow the steps in the Welcome room to configure the VPN connectivity.
I have connected to TryHackMe network using OpenVPN on Kali Linux. Once you connect, the access page will confirm the status by confirming your IP address and status.
Once You have deployed the machine, you will get an IP address of the machine.
The Machine's IP Address is displayed and the time remaining is also displayed, If you are unable to capture the flags within 1 hour, you may add 1 more hour.
We shall start enumeration using nmap. We can get the details of ports open and services running and their version by using -sV option along with nmap.
The nmap scan has revealed that port 80 is open and Apache service is running. We can explore it by browsing with IP.
We could see the web page has some details based on the famous series Arrow. Let us further enumerate using gobuster and try to find directories under the server.
gobuster revealed /island page. Let us check what's there in it.
I could see that it is mentioned 'The code word is:' and there is nothing after that. So it as a good idea to check the source code of the page
In the source I found that there is a word vigilante which is style encoded to be in white. The background is also white and the code word is also in white. So it wasn't visible in the page.
For the next question, I could see a hint in the TryHackMe Room. There might be more hidden pages. Let us use another wordlist this time with only numbers of 4 digit.
So there is a page /2100 Let me explore it via browser. I can answer couple of questions on TryHackMe.
I could see a video embedded on this page. It is a good idea to check the source of this page too.
This time the clue is .ticket
Also there is another Hint for us on TryHackMe so we now know that .ticket is an extension.
We can use the tool ffuf to enumerate this time. I will use FUZZ.ticket as a placeholder.
And the ffuf tool reveal that the word green_arrow. We can explore the term green_arrow.ticket from the browser. Also we can answer a question on TryHackMe.
So this might be a password but looks like it is encoded.
Let me go to the github link https://gchq.github.io/CyberChef given in the hint and try decoding it.
It was a base58 encryption. The decrypted word !#th3h00d looks like a password Looks like I have found another answer.
Let me connect to the machine using ftp and check Username is vigilante and the password we just found.
Remember to login using passive mode.
I could see a lot of images are stored on the machine. Let me download them to check if there are any clues in it.
steghide tool can be used to extract information from the images.
It is asking for a passphrase. First we have to find the passphrase. For that I will use another tool stegcracker
The tool found the password and it is password
Run the steghide again to extract the data from the image. The extracted data is saved with .zip file extension. use unzip to extract the files from it.
I could see two files, passwd.txt and shado.
The shado file revealed the password. It is M3tahuman but the passwd.txt is a booby trap. We had downloaded few other files from ftp, that is .profile, .other_user We can look in to those files as well if we can find username or any clue. We now have answer for one more question.
The .other_user file has lot of names, I may have to try each of them starting with slade
So the username is slade and the password is M3tahuman
Listing the directory contents, we have found the user.txt and a flag in it. Copy the flag and paste it on TryHackMe to verify.
To be able to see root.txt we should have root access. Let me check if slade user has sudo access.
The command sudo -l revealed that slade can run pkexec with root privilege. I can use the same to get the root prompt.
I was able to escalate the privilege of user slade and get the root access. And I can see the root.txt and a flag in it. I can paste the flag on TryHackMe.
I hope this write-up was informative for you. Please leave a feedback. Thank you
-Srivathsa Dhanvantri
The World Best Exam Dumps Webiste is Dumpsedu. One of the top site for AZ-900 Exam Dumps. DAS-C01 Exam Questions
DBS-C01 Exam Questions
SOA-C02 Exam Questions
PAS-C01 Exam Questions
ANS-C01 Exam Questions
DOP-001 Exam Questions
SAA-C03 Exam Questions