Introduction

In this walkthrough, I tackle the Lian_Yu room, moving from initial enumeration to full root access by chaining web discovery, credential extraction, steganography, and privilege escalation.

Task 1. Find the Flags

Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.

Question 1. Deploy the VM and Start the Enumeration.

No answer needed

Question 2. What is the Web Directory you found?

2100

Question 3. What is the file name you found?

green_arrow.ticket

Question 4. What is the FTP Password?

!#th3h00d

Question 5. what is the file name with SSH password?

shado

Question 6. User.txt

THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}

Question 7. Root.txt

THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}

Initial Reconnaissance

I started with an Nmap scan using default scripts and version detection to quickly map the exposed attack surface.

nmap -sV -sC 10.49.161.195

The scan quickly revealed a small but interesting set of open services:

• FTP running on port 21
• SSH exposed on port 22
• A web server on port 80
• RPC service on port 111

The presence of FTP alongside a web service immediately stood out. In many cases, misconfigured FTP services become an easy entry point, so I kept that in mind as I moved forward.

Web Enumeration

With the web server exposed, I shifted focus to port 80 and opened the target in the browser.

At first glance, nothing useful was visible on the surface. No obvious inputs, no leaks, nothing actionable. That usually means one thing. Time to dig deeper.

Directory Bruteforcing

I started enumerating hidden paths using dirsearch with a well-known wordlist.

dirsearch -u http://10.49.161.195 -w SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
Target: http://10.49.161.195/
[20:13:50] Starting: 
[20:14:30] 301 -  236B  - /island  ->  http://10.49.161.195/island/
[20:18:22] 403 -  199B  - /server-status
Task Completed

The scan returned an interesting directory:

/island

That gave me a new attack vector to explore.

Hidden Clues in Source Code

After navigating to /island, I checked the page source instead of just relying on what was rendered.

Inside the source, I found a hidden keyword:

vigilante

At this stage, it looked like a potential username. It could be tied to FTP or SSH, but without a password, it was not immediately usable. Still, it was a valuable piece of intel, so I noted it down and continued enumerating.

Deeper Enumeration

I pushed further into the /island directory with another round of directory brute forcing.

dirsearch -u http://10.49.161.195/island/ -w SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
Target: http://10.49.161.195/
[20:25:42] Starting: island/
[20:26:01] 301 -  241B  - /island/2100  ->  http://10.49.161.195/island/2100/
Task Completed

This revealed another hidden path:

/island/2100

Opening it in the browser did not immediately reveal anything useful.

While inspecting the source code, I noticed a reference pointing toward a file with a .ticket extension. That immediately suggested there might be something intentionally hidden. I followed the same enumeration approach and continued digging deeper to locate it.

dirsearch -u http://10.49.161.195/island/2100 -w SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -e .ticket
Target: http://10.49.161.195/
[20:25:42] Starting: island/2100
[20:26:01] 301 -  241B  - /green_arrow.ticket  ->  http://10.49.161.195/island/2100/green_arrow.ticket
Task Completed

This time, I discovered a file:

/island/2100/green_arrow.ticket

Extracting Credentials

Opening the file revealed an encoded string.

RTy8yhBQdscX

The format suggested it was not random. After analyzing the pattern, I identified it as Base58 encoding. I decoded it to retrieve the original value.

The decoded output gave me a potential password:

!#th3h00d

At this point, I had a likely username and password combination gathered through enumeration. The next step was to validate where these credentials could be used.

Gaining Access to FTP

With a potential username and password in hand, I moved to validate them against the FTP service.

ftp 10.49.161.195
Name: vigilante  
Password: !#th3h00d

The login was successful, confirming that the credentials were valid for FTP access.

Exploring FTP Storage

Once inside, I listed the available files on the server.

ls

The directory contained three image files:

• Leave_me_alone.png
• Queen's_Gambit.png
• aa.jpg

I downloaded all of them locally for further analysis.

get Leave_me_alone.png
get Queen's_Gambit.png
get aa.jpg

Enumerating User Directories

Before moving ahead, I checked the /home directory to understand the system users.

cd /home
ls

This revealed two users:

• slade
• vigilante

That aligned well with the username I had already discovered earlier.

Analyzing Downloaded Files

I started inspecting the downloaded images. One file immediately stood out.

The file Leave_me_alone.png refused to open, and even metadata analysis showed an issue.

The error suggested that the file format was corrupted or manipulated. To verify this, I opened the file in a hex editor.

At first, nothing obvious stood out. But after comparing the header with a valid PNG signature, it became clear that the file header was incorrect.

I corrected the header manually.

After fixing it, the image opened successfully.

Inside the image, I found a password:

password

Extracting Hidden Data

Next, I moved to the other image file to check for hidden content. I used steghide to extract any embedded data.

steghide extract -sf aa.jpg

After providing the passphrase, it extracted a zip file:

ss.zip

Unzipping it revealed two files.

cat passwd.txt
cat shado

The contents were:

passwd.txt

This is your visa to Land on Lian_Yu # Just for Fun ***
a small Note about it
Having spent years on the island, Oliver learned how to be resourceful and 
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.

shado

M3tahuman

The second file looked like a password, and given the earlier user enumeration, it was likely tied to one of the system users.

User Access via SSH

Using the discovered credentials, I attempted SSH access.

ssh [email protected]

Username: slade  
Password: M3tahuman

The login was successful, confirming valid user access on the system.

User Flag

Once inside, I listed the directory contents. The user flag was present in the home directory.

THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}

That marked successful user-level access on the machine.

Privilege Escalation

With user access established, I shifted focus toward privilege escalation. The first step was to check which commands I could run with elevated privileges.

sudo -l

The output showed that /usr/bin/pkexec could be executed with root privileges. Whenever I find a binary listed under sudo, my next move is to verify if it can be abused for escalation.

For that, I referred to GTFOBins, a well-known resource that documents how common Linux binaries can be leveraged to bypass restrictions and escalate privileges in misconfigured environments.

I looked up pkexec on GTFOBins and found a working method to spawn a root shell.

The technique was straightforward:

sudo pkexec /bin/sh

This works because when executed via sudo, pkexec does not drop elevated privileges and can spawn a shell as root. ([GTFOBins][2])

This gave me a root shell.

Root Flag

With root access confirmed, I navigated to retrieve the final flag.

THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}

Thanks for reading.