Chocolate Factory
Last updated
Last updated
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
Anonymous login is allowed so lets go check it out
Lets list the files.
Looks like there is one file and it is a image so lets transfer it to our machine
Lets look at the image
Lets see if there is information hidden in the file, so lets use steghide
.
I hit enter for the passphrase and it worked. We have one file called b64.txt
, lets extract it.
Lets read the file
Lets decode it. After decoded this is the output.
We have the password hash for the user Charlie
. Lets use hashcat to crack this hash to get the password for Charlie.
Copy the hash into a file called hash.txt
.
And now lets use hashcat
to crack it.
We found the password: cn7824
, lets try to login through ssh.
Looks like this is not the password for ssh, lets go explore port 80
Lets visit the website
Its a login page, remember the credentials we found, lets use them to login.
We logged in , looks like we can run commands, and normal commands work so lets run a reverse shell and get a reverse shell, lets first start a netcat listener
Lets get a reverse shell from here.
Lets execute this command, and we get a reverse shell on the machine
Lets stabilize this shell, using these commands
Lets list the files in the current directory
We have a validate.php
file, lets read it
We see the credentials we just used to login in the web page. I tried to run the key file but it said permission denied
So I used a command that lets us look at some information which is called strings
and it gave me important information
We have a key. With this information we can answer two questions in the room
I was enumerating when I realized that we can change directories into Charlie, so I listed the files and found the user.txt
and some other files.
Lets read the teleport file.
Its a rsa private key, we can use this to login as charlie
through ssh, lets do that. First copy the contents of the file into a file on your machine called id_rsa
.
Now we should change the permissions of the file
Now lets login
We are logged in.
Lets run sudo -l
to see what we can run as root
Looks like we can run /usr/bin/vi
as root so lets go to GTFOBins to find the commands to escalate our privilege to root.
Lets run this command
We are now root, lets cd into the root folder to find the root flag, it looks like we need to run a python script to get the flag, lets run it, oh its asking for a key, remember when we found the key during enumeration, type that in and you should get the flag