This room was designed so that hackers can revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa
This is a beginner friendly room!
This is Chocolate Factory from THM. It’s easy rated, although it’s not the noobiest one I’ve ever seen.
Ports
Wew, lots - there are 21 (FTP), 22 (SSH) and 80 (HTTP), plus every port from 100 to 125 inclusive.
I don’t worry about a detail scan. Firefox doesn’t like ports in the 100-ish range, saying This address is restricted. We can remove that by going to about:config and editing the network.security.ports.banned.override key. I set it to String with the value 1-60000 so hopefully I never see this warning again.
FTP
We’ve got anonymous access and there is one file: gum_room.jpg. Exiftool doesn’t give us anything useful so let’s try steghide:
This gets us a file that looks like a shadow file. It only contains one hash, for a user called charlie:
I try to SSH in with this password, but it doesn’t work, hmmmm.
HTTP
At one of the ‘random’ ports in the >100 range we get this:
“Welcome to chocolate room!!
ASCII ART REMOVED
A small hint from Mr.Wonka : Look somewhere else, its not here! ;)
I hope you wont drown Augustus”
Okey dokey.
At the front page we get a login. Dirsearch gives me something more:
What is at home.php? Home.php has a box which lets us send commands to the server, like reverse shells for example:
Alright then. By the way, the password we cracked for charlie works in the login page, and directs us to home.php. So yeah whatever really.
www-data
As www-data we can go to /home/charley and read a file called teleport, which is an SSH private key. It’s not password protected, so we just need to chmod 600 on it and we can login as charlie:
Charlie
Charlie is in the admin, sudo and lxd groups, but we don’t know his password unfortunately. Linpeas gives us a few things, including:
It also draws our attention to two files in /etc/init.d that we have ownership of:
ports.sh, and
chocolate.txt
Under some circumstances these files might be a privesc in themselves, if we had the ability to reboot the box. But we don’t, since that’s not how THM rooms work. But we can read them, and in particular one line stands out:
echo “http://localhost/key_rev_key <- You will find the key here!!!”
nc -lkp 113 > /dev/null &
What’s this? We can retrieve the file, and it’s a binary. We don’t need to run it; strings will be sufficient:
We’ll need this shortly.
Back to the vi thing. We can use this to do some things that we otherwise wouldn’t be able to, eg get directory listings and read files, although it doesn’t seem to want to give me a shell. Anyway:
charlie@chocolate-factory:/$ sudo -u root /usr/bin/vi -c ls /root
While I was on the box I used the vi technique to read the shadow file and threw the hashes for root and charlie at john:
Note this says three password hashes because I used the same file that had Charlie’s other hash in it. Interestingly not only did these break fairly quickly, they were THE SAME PASSWORD. Of course, I tried to SSH in as root but that didn’t work, presumably SSH login as root with a password was disabled. Similarly, sudo su was disabled for charlie, so being in the sudoer group didn’t help. But since we knew the root password, we could just do su root instead. Win.
Next, I wanted to see just how easy it would be to bruteforce SSH for this box. The password was about 400000 entries into rockyou, so not that practical. I checked the other entries in /usr/share/seclists/Passwords and the closest I found was the Leaked-Databases/Ashley-Madison.txt file; the password we needed was about 1500 lines in. Let’s try that with Hydra:
So, with the right wordlist we can bruteforce SSH on this box in a little under 10 minutes. While this was not the point of the exercise, I tend to think the passwords should probably be stronger than this.