Chocolate Factory, a relatively new room for capture the flag. Let’s deploy!
After deployed, I again set an enviroment TARGET for target box so it saves some memory of my mind.
$ export TARGET=10.10.172.75
Introduction
#Deploy the machine!
answer: No answer needed
Challenges
#Enter the key you found!
answer: [NO SPOILER]
nmap kicking off!
$ nmap -sV -sC $TARGET
Among the ports, one stood out (113)! It said:
|_ http://localhost/key_rev_key <- You will find the key here!!!
So I tried to hit the url http://10.10.172.75/key_rev_key, and it downloaded a file.
When i run cat on the file, it showed me some buffers, so I ran strings on it to try printable characters.
$ strings key_rev_key
#What is Charlie’s password?
answer: [NO SPOILER]
Saw the port 80 is opened. So I try to run ffuf on it.
$ ffuf -v -c -recursion -t 64 -e $EXTS -w $W_COMMON -u http://$TARGET/FUZZ
Found the home.php and index.html
Looks like home.php is more interesting, since I can run command on it!
I tried a few commands, found out listing of the home very fruitful!
teleport and teleport.pub (ssh) is readable by everyone?! So i cat it out:
And make it into id_rsa file, chmod to 600 and login all the way.
#Enter the user flag
answer: [NO SPOILER]
Since we already knew the user.txt is on /home/charlie, it’s just a cat away.
#Enter the root flag
answer: [NO SPOLIER]
I tried to check my sudo permission
$ sudo -l
and found out I have vi permission.
After going in vi, I run : + sh to ge the shell.
Checked the /root folder found out there is a pyhton file root.py, tried to run it and put in the key found above, and Bingo!
Till now we still not yet know charlie’s password!
Since I am root, I get the hash from /etc/shadow and creata a local file shadow.
And ran through john:
$ john shadow
Looking at the password input. The format is XXXXXX (input text box), it has 6 characters! But john found 2232, which has only 4?!!
I have spent sometimes looking around ended peeping the given writeup. It was the web login password it was asking!
So I ran a cat on the validate.php file and got the answer~
