Chocolate Factory writeup(tryhackme)

3 min readJan 19, 2021

The link for this machine is:

So, as usual i started with nmap scan , but it was taking too long so I started enumeration before nmap results. I went to the machine’s IP and found a web page with a login form and then I started enumerating directories using Gobuster .

command= gobuster dir -u HTTP://IP/ -w (wordlist with full path) -x PHP,txt

and I found a home.php

As you can see i have shown the gobuster and IP/home.php results.

We see a command option there and it looks like we can execute commands and i did .

command = ls

After this command , we found a key_rev_key and we cat (command for printing the contents of a file) out the file

Now, we have found the key and we know there is a command execution vulnerability so let’s get a reverse shell now.

I prefer pentestmonkey as it has a lot of reverse shells and i used a PHP one.

Remember to change the IP for reverse shell

and start a netcat listener on your machine.

Now , we are www-data and i cd(change directory) to /home/charlie

and i found a file called “teleport” and it is a private ssh key.

Now, we will use this ssh key to login to the target machine as charlie.

command= ssh -i id_rsa(ssh key) charlie@IP

Now we can cat out the user.txt flag

Now all we have to do now is to find the charlie’s password and the root flag.

As usual, i checked the sudo permissions .

command= sudo -l

We can see that charlie can run vi (it’s vim) as sudo.

But we have to find the charlie’s password first . For that i went back to the /var/www/html directory and started seeing the contents of all files and i found

Now , we know the charlie’s password and for privilege escalation i went to GTFObins and found a sudo command for vim (just type vi instead of vim ).

Now , we see a

Let’s run this file : command=python and it was asking for a key and we found a key in the beginning ( when we found command execution on the web page (key_rev_key)).

Now, we have answered all the questions and found all the flags for this machine .

Thankyou for reading my writeup and have a nice day.