Today we’re going to solve another boot2root challenge called “Tokyo Ghoul “. It’s available at TryHackMe for penetration testing practice. This lab is of medium difficultly if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to devalfo and rockyou.txt. Let’s get started and learn how to break it down successfully.
Disclaimer: This Machine contains spoilers for the Tokyo
Ghoul Anime and Manga.
Level: Medium
Penetration Testing Methodology
·
Network Scanning
o
Nmap
·
Enumeration
o
Browsing HTTP Service
o
Enumerating Source Code
o
Enumerating FTP Service
o
Enumerating Executable using Strings
o
Enumerating Image File using Steghide
o
Decoding Morse Code
o
Decoding Hexadecimal
o
Decoding Base64
o
Directory Bruteforce using Dirb
·
Exploitation
o
Exploiting Local File Inclusion
o
Extracting User Hash
o
Cracking User Hash using John the Ripper
o
Logging in via SSH
o
Reading User Flag
·
Privilege Escalation
o
Enumerating Sudo Permissions
o
Escaping Python Jail using built-in modules
o
Exploiting Sudo Permissions on Python Script
o
Getting Root Shell
o
Reading Root Flag
Walkthrough
To read and understand what the machine is, we will be
starting with reading the Lab Description:
“Help kaneki escape jason room”
“This room took a lot of inspiration from psychobreak , and
it is based on Tokyo Ghoul anime.”
After Booting up the machine from the TryHackMe:
Tokyo Ghoul Page, we will be provided with a Target IP Address.
IP Address: 10.10.43.18
This room has 2 flags that we need to find to complete the
Machine. Although there are multiple questions or tasks that we need to perform.
We will answer those tasks as we go through them.
Task 1: About the
room
Q. 1. Read the above
No answer needed
Q. 2. Deploy the machine
No answer needed
Network Scanning
We will start with a nmap scan with -sC for Default Scripts
and -sV for Scanning Versions.
nmap -sC -sV 10.10.43.18
Nmap was able to identify 3 services running on the target
machine. It included FTP (21), SSH (22) and HTTP (80). Nmap was kind enough to
check the FTP service for Anonymous Login and it told us that there is a
directory by the name of need_Help? Hosted on FTP server which is accessible
though Anonymous Login. We will get back to that. The SSH Service is not
accessible due to lack of credentials. At last, we have the HTTP Service
hosting some webpage.
Enumeration
The webpage describes the story of Ken Kaneki a High School
Teenager who went on a date with a girl Rize Kamishiro. She turned out to be a
ghoul and started consuming Kaneki. But something falls on her and she is
knocked out. Kaneki escapes to hospital where he is captured by Jason. Jason
used Kaneki for harvesting his organs. This is pretty dark if you ask me.
Anyhow reading this possibly gave us some words that can either be directories
or users on the machine. We have the Ken, Kaneki, Rize, Kamishiro and Jason.
The webpage has a link that is to be used to save Kaneki from Jason. Clicking
on it leads to another page.
Task 2: Where am
i?
Q. 1. Use nmap to scan all ports
No answer needed
Q. 2. How many ports are open?
3
Q. 3. What is the OS used?
Ubuntu
http://10.10.43.18/
This page is called jasonroom.html. It contained a gif of
Jason injecting Kaneki of some fluid. Tried to find some link or anything other
than the gif on the page but we were unsuccessful. Inspecting the gif also
resulted into a dead end. This is where it hit me to check the source code of
the webpage.
Task 3: Planning
to escape
Q. 1. Did you find the note that the others ghouls
gave you? where did you find it?
jasonroom.html
http://10.10.43.18/jasonroom.html
There is a comment on the webpage. It tells us that there is
a way to escape Jason. Notes further tells us that there is a mask which makes
us look Anonymous and it tells us to go to the FTP room. That is a lame
hint. We already know that anonymous login is enabled on the FTP. Time to
enumerate the FTP.
view-source:http://10.10.43.18/jasonroom.html
Logging in on the FTP service we have the need_Help?
Directory. It contained a text file (Aogiri_tree.txt) and another directory (Talk_with_me).
We download the text file to our local system for a closer look and then we
traversed into the Talk_with_me directory. It contained an executable binary need_to_talk
and an image rize_and_kaneki.jpg. We download both of them to our local machine
for further inspection.
ftp 10.10.43.18
anonymous
ls
cd need_Help?
ls
get Aogiri_tree.txt
cd Talk_with_me
ls
get need_to_talk
get rize_and_kaneki.jpg
We read the Aogiri_tree.txt file. This seemed a message to
Kaneki describing that Rize is now a part of Kaneki and Kaneki has her Kagune.
It asks Kaneki to get control of his body and it also tells Kaneki that he is a
part of Aogiri tree. Now we add two other words to our original notes. Kagune
and Aogiri.
cat Aogiri_tree.txt
Another file that we downloaded from the FTP server is image
of Rize and Kaneki. We looked it in the Image Viewer and checked it details
using Exif tool. No important information recovered. This made us realize that
it is possible that is a compressed file. That means we need to use steghide to
extract it. We tired ant told us that there is a password that needs to be
entered in order to extract files inside the rize_and_kaneki.jpg.
Now we need to enumerate for the password. We upgraded the
permissions of the need_to_talk executable to run it on our local machine. It
tells us that it will give us the kagune which we can only assume is the
password for extracting files from image. But in order to cough up the
password, it requires us to enter a keyword. Puzzle inside a puzzle. Nice! We
entered password. Of course, it is not the correct keyword but it gave us a
hint. It asks us to take a look inside the executable. There are bunch of tools
to take a look inside the executable such as rabin2 which it hints us to use,
or we can use ltrace to, but simplest of all is the strings. Let’s test strings
first.
chmod 777 need_to_talk
./need_to_talk
Strings command extracts the human readable words from the
machine code. Now, as the executable asks for a particular keyword. It is
possible that it might be running a string compare to the word and the word
might exist inside the binary code. We see that Kamishiro exists inside the
code. It was one of the words of interest that we are extracting from the
beginning of the walkthrough too.
strings need_to_talk
Q. 2. What is the key for Rize executable?
kamishiro
Q. 3. Use a tool to get the other note from Rize.
No answer needed
We run the executable again. This time when asked for
keyword, we typed in Kamishiro. It tells us that we came for “You_found_1t”.
Really! It seems like author is not even trying to name files properly. Still,
this seems like a troll and also a password that might extract data from the
image.
./need_to_talk
As we entered the You_found_1t while extracting the contents
from the rize_and_kankeki.jpg. It extracts a text file "yougotme.txt".
Wow! such a talent naming files. Time to read the yougotme.txt. It mocks us for
our smartness but then proceeds to give the most easily recognizable encoding
language in the world. Morse Code. It hints that if we decode the Morse, we can
get a directory.
steghide extract -sf rize_and_kaneki.jpg
cat yougotme.txt
We searched for a Morse Code decoder online. Because we are
not dense enough to resort to converting each dot and dashes. Any how it gets
converted into a weird string. This string however looks too familiar.
We went on the asciitohex website and entered the string in
the Hexadecimal section. It gets converted into another string. The == tells us
this is Base64.
Copying the sting and pasting inside the Base64 section we
get ourselves the secret directory convincedly named d1r3c70ry_center.
Task 4: What Rize
is trying to say?
Q. 1. What the message mean did you understand it? what
it says?
d1r3c70ry_center
Q. 2. Can you see the weakness in the dark? no? just
search
No answer needed
Q. 3. What did you find something? crack it
No answer needed
We tried to browse the d1r3c70ry_center by carefully placing
it next to the IP address of the target machine. It gave us this image of a character
who is asking that we scan him. We will not disappoint him. There are bunch of
scans that we can do here.
http://10.10.43.18/d1r3c70ry_center/
We decided to start with a dirb scan or a Directory
Bruteforce. We used the common.txt as a wordlist for our scan. This gave us a
directory by the name of claim.
dirb http://10.10.43.18/d1r3c70ry_center/
Browsing the claim directory, we are greeted Welcome Kaneki
Ken. It asks us a question if we really want the power? Are we going to accept
this ghoul power? A simple yes and no question with yes and no buttons. We
click on both sequentially to see what happens.
http://10.10.43.18/d1r3c70ry_center/claim/
We are directed to viewing a gif. However, the gif was
browsed using the view parameter. This makes us so eager to try Local File
Inclusion.
http://10.10.43.18/d1r3c70ry_center/claim/index.php?view=flower.gif
Exploitation
We think the author of the machine has anticipated that as
well. It politely asks us not to do it.
http://10.10.43.18/d1r3c70ry_center/claim/index.php?view=../../../../etc/passwd
But we are not going to back down so easily. We tried
entering just dots and then with backslashes. This is where we see that it is
restricting the backslashes. So, we encoded them and tried to browse the
etc/passwd file again and this time we got success. We got the username and
password hash. The user we will be using would be Kamishiro.
Q. 4. what is Rize username?
kamishiro
http://10.10.43.18/d1r3c70ry_center/claim/index.php?view=%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd
We copied the hash and pasted it into a file name hash. I
think the author has rubbed us off that lazy file naming characteristic. Anyways, we tried to crack the hash using John
the Ripper. The wordlist we decided to use was rockyou.txt. The password cracked
in mere seconds and came out to be password123. This is where I felt the most
trolled by the author of the machine.
Q. 5. what is Rize password?
password123
nano hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Time to connect to the target machine as Kamishiro user. Lucky
for us there were not any new rabbit holes and we got the first flag on the
machine i.e., User Flag.
Task 5: Fight
Jason
Q. 1. user.txt
###############################
ssh kamishiro@10.10.43.18
ls
cat user.txt
Privilege Escalation
We need to enumerate the machine to find a way to elevate
this shell to a root shell. We started by checking the sudo permissions for
Kamishiro user. We see that we have a python script by the name of jail.py that
we can run as root.
sudo -l
During our hunt for user flag, we saw that jail.py exists in
the current directory. Let’s take a look under the hood of this script to see
its working. The script starts with a bunch of strings. Then it asks user for
an input. But this input is then checked for keywords like 'eval', 'exec',
'import', 'open', 'os', 'read', 'system' and 'write'. This means that we are
restricted to execute any reverse shell script or bash script to get root. We
need to get a bit creative here.
cat jail.py
We needed a way to execute a command while evading the
checks. Python allows us to define built-in objects as __builtins__modules. So
instead of using import or os we will use __IMPORT__ and OS. We could have been
at it to create a proper script and try it again and again on the script. But
instead of reinventing the wheel, we decided to search for Python Jails and we
got this article
which has created the command that works to read a file. We modified it to
invoke a shell. Since it is possible to run this script as root using sudo the
shell that it will generate will be of root as well. After executing the script
and providing the builtins command we got the root shell. Traversing inside the
root directory we found the final flag i.e., Root Flag.
Q. 2. root.txt
###############################
Task 6: Special thanks
Q. 1. Congratulations you've complete Tokyo ghoul room 1
No answer needed
sudo /usr/bin/python3 /home/kamishiro/jail.py
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')
id
cd /root
ls
cat root.txt
0 comments:
Post a Comment