[{"data":1,"prerenderedAt":446},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-lianyu-writeup":3,"surround-\u002F2025\u002Ftryhackme-lianyu-writeup":437},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":430,"_id":431,"_source":432,"_file":433,"_stem":434,"_extension":435,"_original_dir":436},"\u002F2025\u002Ftryhackme-lianyu-writeup","2025",false,"","TryHackMe - Lian Yu","A step-by-step walkthrough for the TryHackMe 'Lian Yu' room. This guide covers initial access by discovering hidden directories, decoding a Base58 password for FTP access, and using steganography to find SSH credentials. Privilege escalation is achieved by exploiting sudo rights on pkexec.","2025-09-01T14:54:37.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"2 min read",1.77,106200,354,{"type":21,"children":22,"toc":423},"root",[23,29,45,52,56,73,77,82,87,91,113,117,121,149,153,157,185,189,193,206,210,216,245,249,262,266,271,275,288,292,329,333,361,365,371,376,380,410,414,418],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Flianyu",[41],"nofollow",[43],{"type":34,"value":44},"10.10.73.244",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F2.jpg",[],{"type":24,"tag":30,"props":57,"children":58},{},[59,61,71],{"type":34,"value":60},"We have a web service on port ",{"type":24,"tag":62,"props":63,"children":68},"code",{"className":64,"id":66,"style":67},[65],"example-info","just-like-this","color: #77BEF0",[69],{"type":34,"value":70},"80",{"type":34,"value":72},", let's examine it.",{"type":24,"tag":25,"props":74,"children":76},{"src":75},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F3.jpg",[],{"type":24,"tag":30,"props":78,"children":79},{},[80],{"type":34,"value":81},"We performed our manual checks but couldn't find anything. Now let's do a directory scan on the site to find something.",{"type":24,"tag":83,"props":84,"children":86},"copy",{"code":85},"feroxbuster -u http:\u002F\u002F10.10.73.244\u002F -w \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirbuster\u002Fdirectory-list-2.3-medium.txt",[],{"type":24,"tag":25,"props":88,"children":90},{"src":89},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":92,"children":93},{},[94,96,102,104,111],{"type":34,"value":95},"As a result of our scans, we find the ",{"type":24,"tag":62,"props":97,"children":99},{"className":98},[],[100],{"type":34,"value":101},"\u002Fisland",{"type":34,"value":103}," and ",{"type":24,"tag":62,"props":105,"children":108},{"className":106,"id":66,"style":107},[65],"color: #efb11d",[109],{"type":34,"value":110},"\u002Fisland\u002F2100",{"type":34,"value":112}," directories.",{"type":24,"tag":25,"props":114,"children":116},{"src":115},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F5.jpg",[],{"type":24,"tag":25,"props":118,"children":120},{"src":119},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F6.jpg",[],{"type":24,"tag":30,"props":122,"children":123},{},[124,126,131,133,140,142,147],{"type":34,"value":125},"When we examine the source code of the ",{"type":24,"tag":62,"props":127,"children":129},{"className":128},[],[130],{"type":34,"value":101},{"type":34,"value":132}," page, we get the hidden word ",{"type":24,"tag":62,"props":134,"children":137},{"className":135,"id":66,"style":136},[65],"color: #4DFFBE",[138],{"type":34,"value":139},"vigilante",{"type":34,"value":141},". Now let's check the ",{"type":24,"tag":62,"props":143,"children":145},{"className":144},[],[146],{"type":34,"value":110},{"type":34,"value":148}," directory.",{"type":24,"tag":25,"props":150,"children":152},{"src":151},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F7.jpg",[],{"type":24,"tag":25,"props":154,"children":156},{"src":155},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F8.jpg",[],{"type":24,"tag":30,"props":158,"children":159},{},[160,162,168,170,176,178,183],{"type":34,"value":161},"The source code of this page also says that we can get our ",{"type":24,"tag":62,"props":163,"children":165},{"className":164},[],[166],{"type":34,"value":167},".ticket",{"type":34,"value":169}," from here. As you can understand from the ",{"type":24,"tag":62,"props":171,"children":173},{"className":172},[],[174],{"type":34,"value":175},".",{"type":34,"value":177},", it wants us to find the file with the ",{"type":24,"tag":62,"props":179,"children":181},{"className":180,"id":66,"style":107},[65],[182],{"type":34,"value":167},{"type":34,"value":184}," extension. So let's do a directory scan here and find it.",{"type":24,"tag":83,"props":186,"children":188},{"code":187},"feroxbuster -u http:\u002F\u002F10.10.73.244\u002Fisland\u002F2100 -w \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirbuster\u002Fdirectory-list-2.3-medium.txt -x ticket",[],{"type":24,"tag":25,"props":190,"children":192},{"src":191},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F9.jpg",[],{"type":24,"tag":30,"props":194,"children":195},{},[196,198,204],{"type":34,"value":197},"And we find a file named ",{"type":24,"tag":62,"props":199,"children":201},{"className":200},[],[202],{"type":34,"value":203},".\u002Fgreen_arrow.ticket",{"type":34,"value":205},". We get a password from this file.",{"type":24,"tag":25,"props":207,"children":209},{"src":208},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F10.jpg",[],{"type":24,"tag":46,"props":211,"children":213},{"id":212},"initial-access",[214],{"type":34,"value":215},"Initial Access",{"type":24,"tag":30,"props":217,"children":218},{},[219,221,227,229,235,237,243],{"type":34,"value":220},"Now let's try to log in via ssh and ftp with this secret information we found: ",{"type":24,"tag":62,"props":222,"children":224},{"className":223,"id":66,"style":107},[65],[225],{"type":34,"value":226},"vigilante:RTy8yhBQdscX",{"type":34,"value":228},". As a result of our attempts, we could not get a session with this information. Here it occurs to us that the ",{"type":24,"tag":62,"props":230,"children":232},{"className":231,"id":66,"style":67},[65],[233],{"type":34,"value":234},"RTy8yhBQdscX",{"type":34,"value":236}," password we found may be hashed. And when we do a scan on the internet, we see that it is encoded with ",{"type":24,"tag":62,"props":238,"children":240},{"className":239,"id":66,"style":136},[65],[241],{"type":34,"value":242},"BASE-58",{"type":34,"value":244}," and we decode it.",{"type":24,"tag":25,"props":246,"children":248},{"src":247},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F11.jpg",[],{"type":24,"tag":30,"props":250,"children":251},{},[252,254,260],{"type":34,"value":253},"From here we get the pair ",{"type":24,"tag":62,"props":255,"children":257},{"className":256,"id":66,"style":136},[65],[258],{"type":34,"value":259},"vigilante:!#th3h00d",{"type":34,"value":261},". Now let's try to log in with these.",{"type":24,"tag":25,"props":263,"children":265},{"src":264},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":267,"children":268},{},[269],{"type":34,"value":270},"And yes, we were able to log in to ftp, now let's examine the shared files.",{"type":24,"tag":25,"props":272,"children":274},{"src":273},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F13.jpg",[],{"type":24,"tag":30,"props":276,"children":277},{},[278,280,286],{"type":34,"value":279},"When we see the images here, it immediately comes to mind that there might be something inside them. Now let's download and examine the files here. (",{"type":24,"tag":62,"props":281,"children":283},{"className":282},[],[284],{"type":34,"value":285},"get \u003Cfile_name>",{"type":34,"value":287},")",{"type":24,"tag":25,"props":289,"children":291},{"src":290},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F14.jpg",[],{"type":24,"tag":30,"props":293,"children":294},{},[295,297,303,305,311,313,319,321,327],{"type":34,"value":296},"We found a possible username from the ",{"type":24,"tag":62,"props":298,"children":300},{"className":299},[],[301],{"type":34,"value":302},".other_user",{"type":34,"value":304}," file: ",{"type":24,"tag":62,"props":306,"children":308},{"className":307,"id":66,"style":136},[65],[309],{"type":34,"value":310},"slade",{"type":34,"value":312},". When we examine the images, we see that there is hidden data in ",{"type":24,"tag":62,"props":314,"children":316},{"className":315},[],[317],{"type":34,"value":318},"aa.jpg",{"type":34,"value":320},", but it is encrypted. Now let's brute force it with ",{"type":24,"tag":62,"props":322,"children":324},{"className":323,"id":66,"style":67},[65],[325],{"type":34,"value":326},"stegseek -sf aa.jpg",{"type":34,"value":328}," and crack the password.",{"type":24,"tag":25,"props":330,"children":332},{"src":331},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F15.jpg",[],{"type":24,"tag":30,"props":334,"children":335},{},[336,338,344,345,351,353,359],{"type":34,"value":337},"From here we got the ",{"type":24,"tag":62,"props":339,"children":341},{"className":340},[],[342],{"type":34,"value":343},"shado",{"type":34,"value":103},{"type":24,"tag":62,"props":346,"children":348},{"className":347},[],[349],{"type":34,"value":350},"passwd.txt",{"type":34,"value":352}," files and when we examined them we found the word ",{"type":24,"tag":62,"props":354,"children":356},{"className":355,"id":66,"style":136},[65],[357],{"type":34,"value":358},"M3tahuman",{"type":34,"value":360},". Now let's log in via ssh with the username and this word we obtained.",{"type":24,"tag":83,"props":362,"children":364},{"code":363},"ssh slade@10.10.73.244",[],{"type":24,"tag":46,"props":366,"children":368},{"id":367},"privilege-escalation",[369],{"type":34,"value":370},"Privilege Escalation",{"type":24,"tag":30,"props":372,"children":373},{},[374],{"type":34,"value":375},"And we're in. Now let's check which files we have sudo privileges on with a simple command.",{"type":24,"tag":25,"props":377,"children":379},{"src":378},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F16.jpg",[],{"type":24,"tag":30,"props":381,"children":382},{},[383,385,390,392,399,401,408],{"type":34,"value":384},"From here we saw that the ",{"type":24,"tag":62,"props":386,"children":388},{"className":387},[],[389],{"type":34,"value":310},{"type":34,"value":391}," user can run the ",{"type":24,"tag":62,"props":393,"children":396},{"className":394,"id":66,"style":395},[65],"color: #EA5B6F",[397],{"type":34,"value":398},"\u002Fusr\u002Fbin\u002Fpkexec",{"type":34,"value":400}," binary with root privileges. Now when we research this binary on ",{"type":24,"tag":37,"props":402,"children":405},{"href":403,"rel":404},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fpkexec\u002F",[41],[406],{"type":34,"value":407},"GTFObins",{"type":34,"value":409},", we see that we can become root with the following command.",{"type":24,"tag":83,"props":411,"children":413},{"code":412},"sudo pkexec \u002Fbin\u002Fsh",[],{"type":24,"tag":25,"props":415,"children":417},{"src":416},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-lianyu-writeup\u002F17.jpg",[],{"type":24,"tag":30,"props":419,"children":420},{},[421],{"type":34,"value":422},"And we are root...",{"title":7,"searchDepth":424,"depth":424,"links":425},4,[426,428,429],{"id":48,"depth":427,"text":51},2,{"id":212,"depth":427,"text":215},{"id":367,"depth":427,"text":370},"markdown","content:posts:2025:tryhackme-lianyu-writeup.md","content","posts\u002F2025\u002Ftryhackme-lianyu-writeup.md","posts\u002F2025\u002Ftryhackme-lianyu-writeup","md","\u002Fposts",[438,442],{"_path":439,"title":440,"date":441},"\u002F2025\u002Ftryhackme-mustacchio-writeup","TryHackMe - Mustacchio","2025-08-29T13:33:15.000Z",{"_path":443,"title":444,"date":445},"\u002F2025\u002Ftryhackme-anthem-writeup","TryHackMe - Anthem","2025-09-01T17:37:04.000Z",1776934250704]