[Chocolate Factory] – TryHackMe
Starting off this challenge. We can see from the tags on TryHackMe that it involved steganography and privilege escalation (that second one being a give-in). As well, the questions tell us one of the username’s is ‘charlie’. Really no surprise there. Lets enumerate the box and start poking at some images.
While that scan ran (and it returned a lot of interesting information), I browsed to the website and grabbed the image.png from the CSS background. As well, I connected to the ftp, which allowed anonymous access and there was another image there named ‘gum_room.jpg’.
Inside ‘gum_room.jpg’ was a base64 encoded file which decoded and ended up being their entire /etc/passwd (presumably).
Above is the ‘b64.txt’ file embedded within ‘gum_room.jpg’ and below is the base64 decoded content, which is already being attacked by john the ripper.
The username charlie cracked with a password value of cn7824. These credentials worked to log into the squirrel room, which allows us to execute commands on the server, seemingly (we’ll continue to grab any images we find and poke around). These credentials did not work for SSH.
We use the command injection script to poke around, we grab the ‘key_rev_key’ file. The strings command reveals the answer to the first question the “key” is b’-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=’
We stabilize the shell, so we can attempt to sudo or su into the user charlie (since the password cracked didn’t work for SSH). But, neither of those work either. So, we simply jump into his user directory and we can see the files teleport and teleport.pub are SSH keys. Sure enough, we copy teleport down to our machine, chmod the permissions to 600 and ssh in as user charlie.
Next we check
sudo -l to see what commands we might be able to run through sudo and we see gold, it allows
/usr/bin/vi. So, a quick
sudo /usr/bin/vi and then breakout with
:!/bin/sh and we’re root.
Finally, we’re not quite done yet, there’s no root flag sitting in the folder, it’s a python script. We notice it asks for the key. So, we provide the key found in the ELF binary earlier and it gives us our final flag.
Pretty quick and easy. Once again, took a lot longer to write up than to actually do. Wasted some time playing with steganography when there was really only one tiny portion it was used for.