Tokyo Ghoul — TryHackMe

6 min readMar 17, 2021

This is a write-up for TryHackme’s room named “Tokyo Ghoul”. Please find this room here:

https://tryhackme.com/room/tokyoghoul666

Task is to find the user and root’s flag and along the way answer the questions asked. So let’s Help kaneki escape jason room and start enumeration process using NMAP.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.0.178

$ sudo nmap -sS -Pn -T4 -p- 10.10.0.178
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.178

$ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.178

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    3 ftp      ftp          4096 Jan 23 22:26 need_Help?
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.98.192
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fa:9e:38:d3:95:df:55:ea:14:c9:49:d8:0a:61:db:5e (RSA)
|   256 ad:b7:a7:5e:36:cb:32:a0:90:90:8e:0b:98:30:8a:97 (ECDSA)
|_  256 a2:a2:c8:14:96:c5:20:68:85:e5:41:d0:aa:53:8b:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome To Tokyo goul

From the scan results we can answer the question asked in first section.

HTTP Port 80

Checking Web Port 80 using a browser, found the following text in the Web Page’s source of the link on the main page(Can you help him escape?)

<!-- look don't tell jason but we will help you escape , here is some clothes to look like us and a mask to look anonymous and go to the ftp room…

Tokyo Ghoul — TryHackMe

Enumeration

Written by 0xsanz

More from 0xsanz

Web Enumeration Methodology

Beginner’s friendly approach for OSCP ,CTFs and Web App Pen-testing

Archangel — TryHackMe

This is write-up for TryHackMe’s room names Archangel which is a Boot2root room involving Web exploitation, Privilege escalation and LFI…

Lunizz CTF -TryHackMe

This is a write-up for another TryHackMe’s rooms named “Lunizz CTF”. This room is available here:

NTP on Oracle Linux 8

How to build and run NTP and not chronyd on Oracle Linux 8

Recommended from Medium

TryHackMe | Valley

https://tryhackme.com/room/valleype

Tryhackme Carnage Walkthrough

Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon…

Lists

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101

TryHackMe : Dreaming [Pluck CmS]

Intro : Hello all Hackers! Welcome to my new CTF Writeup on TryHackMe Platform name : Dreaming. Here you will find Vulnerable Version of…

TryHackMe: Anonymous

Room: https://tryhackme.com/room/anonymous THM Rating: Medium Actual Rating: Medium

Blog — TryHackMe: Walkthrough 🏴

Billy Joel made a Wordpress blog!

TryHackMe “tomghost” Writeup

Link to THM Room: https://tryhackme.com/room/tomghost