Chocolate Factory TryHackMe Writeup | By Xploit Ayush
A Charlie And The Chocolate Factory themed room, revisit Willy Wonka’s chocolate factory!
Welcome to Willy Wonka’s Chocolate Factory!
This room was designed so that hackers can revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa
This is a beginner friendly room!
The challenging room in the beginners path the in Chocolate Factory in Tryhackme.
STEP 1 > Lets Start with Nmap
nmap -sV -sC -p- -T4 <IP>
Several services are exposed, including FTP, SSH and HTTP. Other services are hosted on ports 100, 106, 109, 110, … but we won’t need them.
We can login into FTP using Anonymous
Wait! Also in one of the random ports (113), I found a URL.
Http://<ip>/key_rev_key (Download that file in are local system)
key_rev_key file is a binary file so let’s use the strings tool to grab human-readable data
strings key_rev_key
Let’s look, it’s not a key but a binary:
By the way the username was laksdhfas
.
STEP 2 > Login into FTP using Anonymous
There is gum_room.jpg file, lets download this file using ‘Get’
Check for any trace or hidden data in that image as this room is related to steganography.
steghide extract -sf gum_room.jpg
file look like data is in base64 encoded.
cat b64.txt | base64 -d > hash && cat hash
Now it’s time to crack that hash using the john & dictionary attack technique.
PART 2 >
There is another way using Gobuster to brute force for hidden pages
There is a web server is running on /home.php
We got command injection on this page! so what we can do here?
We can try to get reverse shell of this php page, And we can inject payload we can get payload from the here
What does reverse shell do?
Reverse shell is a process attackers use to gain access to remote systems and exploit remote code execution (RCE) vulnerabilities present in these systems.
Start our listener in any port.
put are system IP using ifconfig command And try to execute.
Boom! We got reverse shell of the Victim machine
cat validate.php
We got the PASSWORD!
we found charlie password
Awesome! We got the the key. Submit it and straight to the home directories.
cat user.txt
But ..WAIT ! we can't get into it
Ok, so we´re not able to read the user flag but we have a private and public SSH key. By copying the output of cat teleport
we save it on our attacker machine and reconnect directly with ssh
chmod 600 id_rsa
We can now use these keys to SSH as charlie. Copy the keys and change the key file permission to 700 or 600 & ssh via the key-based authentication method.
BOOM!
Now we have permission to cat user.txt and we got the user flag
To get root flag we need to check what permissions or privileges do we have
This one is a little bit tryckier. First type in the command.
sudo -l
Then I tried to check that in gtfobins. Found the exploit for that
In /root dir found a python script that’s performing:
Taking a key from us.
Using our given key it’ll try to decrypt an encrypted_mess if our key is correct it’ll decrypt it otherwise key’s wrong (Symmetric Key as fernet is a symmetric key-based library)
If the key is correct it’ll display decrypted message & some texts.
We had to use the key that we found during URL investigation time to successfully decrypted the encrypted message.
Finally we got our ROOT flag !!!
Now we have all our Answers let’s submit it and we have successfully completed our CTF !!
Keep Trying, Keep Working :)
Thank you for Reading!!
Happy Hacking
Follow me more to get more tips and tricks! 🙏
About the Author:
Tryhackme , ctf , root , nmap , elevation , root.txt , cat.txt , machine , writeup , solution , walkthrough , flag , xploit ayush , bug hunter , Chocolate Factory ,