Chocolate Factory writeup(tryhackme)
The link for this machine is:https://tryhackme.com/room/chocolatefactory
So, as usual i started with nmap scan , but it was taking too long so I started enumeration before nmap results. I went to the machine’s IP and found a web page with a login form and then I started enumerating directories using Gobuster .
command= gobuster dir -u HTTP://IP/ -w (wordlist with full path) -x PHP,txt
and I found a home.php
As you can see i have shown the gobuster and IP/home.php results.
We see a command option there and it looks like we can execute commands and i did .
command = ls
After this command , we found a key_rev_key and we cat (command for printing the contents of a file) out the file
Now, we have found the key and we know there is a command execution vulnerability so let’s get a reverse shell now.
I prefer pentestmonkey as it has a lot of reverse shells and i used a PHP one.
Remember to change the IP for reverse shell
and start a netcat listener on your machine.
Now , we are www-data and i cd(change directory) to /home/charlie
and i found a file called “teleport” and it is a private ssh key.
Now, we will use this ssh key to login to the target machine as charlie.
command= ssh -i id_rsa(ssh key) charlie@IP
Now we can cat out the user.txt flag
Now all we have to do now is to find the charlie’s password and the root flag.
As usual, i checked the sudo permissions .
command= sudo -l
We can see that charlie can run vi (it’s vim) as sudo.
But we have to find the charlie’s password first . For that i went back to the /var/www/html directory and started seeing the contents of all files and i found
Now , we know the charlie’s password and for privilege escalation i went to GTFObins and found a sudo command for vim (just type vi instead of vim ).
Now , we see a root.py
Let’s run this file : command=python root.py and it was asking for a key and we found a key in the beginning ( when we found command execution on the web page (key_rev_key)).
Now, we have answered all the questions and found all the flags for this machine .
Thankyou for reading my writeup and have a nice day.
