From d94bc11ed5339eb12480b64c99c66e6243a6ae60 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Wed, 3 Feb 2021 22:17:24 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Chocolate-Factory.md | 122 +++++++++++++++++++++++++++++++++
1 file changed, 122 insertions(+)
create mode 100644 TryHackMe/Chocolate-Factory.md
diff --git a/TryHackMe/Chocolate-Factory.md b/TryHackMe/Chocolate-Factory.md
new file mode 100644
index 0000000..dd2d915
--- /dev/null
+++ b/TryHackMe/Chocolate-Factory.md
@@ -0,0 +1,122 @@
+# TryHackMe-Chocolate Factory
+
+## NMAP
+
+```
+PORT STATE SERVICE VERSION [337/397]
+21/tcp open ftp vsftpd 3.0.3
+|_auth-owners: ERROR: Script execution failed (use -d to debug)
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_-rw-rw-r-- 1 1000 1000 208838 Sep 30 14:31 gum_room.jpg
+| ftp-syst:
+| STAT:
+| FTP server status:
+| Connected to ::ffff:10.2.54.209
+| Logged in as ftp
+| TYPE: ASCII
+| No session bandwidth limit
+| Session timeout in seconds is 300
+| Control connection is plain text
+| Data connections will be plain text
+| At session startup, client count was 2
+| vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+|_auth-owners: ERROR: Script execution failed (use -d to debug)
+| ssh-hostkey:
+| 2048 16:31:bb:b5:1f:cc:cc:12:14:8f:f0:d8:33:b0:08:9b (RSA)
+| 256 e7:1f:c9:db:3e:aa:44:b6:72:10:3c:ee:db:1d:33:90 (ECDSA)
+|_ 256 b4:45:02:b6:24:8e:a9:06:5f:6c:79:44:8a:06:55:5e (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Site doesn't have a title (text/html).
+100/tcp open newacct?
+|_auth-owners: ERROR: Script execution failed (use -d to debug)
+|_ hope you wont drown Augustus"
+106/tcp open pop3pw?
+|_auth-owners: ERROR: Script execution failed (use -d to debug)
+| fingerprint-strings:
+| GenericLines, NULL:
+| "Welcome to chocolate room!!
+| ___.---------------.
+| .'__'__'__'__'__,` . ____ ___ \r
+| _:\x20 |:. \x20 ___ \r
+| \'__'__'__'__'_`.__| `. \x20 ___ \r
+| \'__'__'__\x20__'_;-----------------`
+| \|______________________;________________|
+| small hint from Mr.Wonka : Look somewhere else, its not here! ;)
+|_ hope you wont drown Augustus"
+109/tcp open pop2?
+|_auth-owners: ERROR: Script execution failed (use -d to debug)
+| fingerprint-strings:
+| GetRequest, SMBProgNeg:
+
+```
+
+This machine had 11 ports open out of which three were useful to us http,ftp and ssh rest of them were false positive giving a hint like look somewhere else
+
+
+
+## PORT 21
+
+
+
+Running steghide to extract something from the image gave us a text file
+
+
+
+
+
+So this is like a backup of `/etc/shadow` on the target machine here we need to crack this hash
+
+
+
+
+
+It seems we cannot crack this hash easily so let's just enumerate the next service which is port 80
+
+## PORT 80
+
+
+
+So we cannot login without a valid username and guessing usernames other than admin didn't worked so next options is to start fuzzing for directories or pages
+
+
+
+
+
+We can get a shell as on `/home.php` there is rce so by inserting python payload for reverse shell and setting up a netcat listener we can get a shell
+
+
+
+We see a `key_rev_key` file
+
+
+
+But it is a binary file and we cannot execute it as it does not have permissions and we cannot set for it but there's validate.php that we can read and it gives us the password for the login page
+
+
+
+Also I cat the binary file and got the key
+
+
+
+Still it gives us the same page after logging in to `/home.php` so we have to do something with that binary. In charlie's directory we can see `teleport` file which is a private key for ssh
+
+
+
+By transfering the ssh key to our machine and then logging in with ssh was successful we are now `charlie`
+
+
+
+We can see that `vi` can be run as all users other than the root so there comes a sudo vulnerability but I just used sudo normally and then typed `!/bin/sh` and got root
+
+
+
+
+
+The root flag is encrypted with the key we found in `/var/www/html`
+
+Running the file with python
+
+
\ No newline at end of file