Tryhackme | Tokyo Ghoul write-up

This is a free room and a medium level on tryhackme.com

Task 1 :

Deploy the machine and proceed!

Task 2 : Some Nmap Scans!

1. Use Nmap to Scan all the ports

A quick and fast nmap scan! (You can use Rustscan too!)

Looks like port 21 is open and Anonymous login is allowed. Keep that in mind.

Lets check out the webpage first.

Task 3 : Planning an escape!

A normal webpage to the eyes. Seems there’s a link

Clicking the link brings us to another normal looking webpage, but after viewing the source we found some interesting comments.

Hm something about FTP.

We could run Gobuster but since it’s telling us to go checkout the FTP, Lets do it! Note that you could use the Anonymous login on FTP.

Some interesting files I’d say

Let’s get all the files by using the get command and exit out of FTP.

Opening up the text file, looks like it’s just some normal conversation. Let’s run the executable file.

A passphrase?

Since we’re given a compiled code, perhaps we can reverse engineer it to something useful! This is where my good friend Ghidra comes to play. It’s a tool to reverse engineer compiled code. Or for simple purposes, turn back a compiled code to code.

Hm those 2 words look odd!

After inspecting the code with Ghidra, I found the function that it used to check if it’s the passphrase the program wants. Upon further inspection, I found 2 words that seem odd. So I tried both of those words and 1 is actually the passphrase!

It gave us another passphrase or word?

Another passphrase or word? Hm, perhaps it has something to do with the jpg file! For this act, I will use steghide to extract hidden files in the picture.

oOo a text file!

Task 4: What is rize trying to say?

Opening up reveals some weird language.

Wait a minute, I’ve seen this weird language somewhere!

Apparently it’s Morsecode and I need to decode it. This is where my good friend Cyberchef comes to play! It also stated that there is a secret directory!

Perhaps this is the secret directory?

Inserting the name into the url brings me to a secret directory!

Scan me?

Hm, it’s telling us to scan it. Perhaps there’s more to this. Let’s run Gobuster on it.

Another sub-directory?

The sub-directory brings us to this page

What is this?

Clicking NO and YES brings us to the same result but but but. If you look closely at the URL it seems to be fetching a file from a server. Perhaps a local one.

Maybe we can exploit this.

Lets change the flower.gif to ../etc/passwd

Ah shoot.Perhaps another way?

After a staring at the URL for an hour, I remembered. HTML URL encoding. I changed it with this.

%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd

Sometimes my genius, it’s frightening.

Looks like we found the username and password hash for the user. Let’s crack it using John. Turns out the password was really weak.

Task 5 : Fight Jason!

Let’s SSH in the server with the credentials that we have. And from there we can find our user.txt

Too easy.

Let’s check out if we have sudo permission.

Very limited.

We can run sudo it looks like but only on jail.py.

Let’s view what’s inside jail.py

Some keywords are blocked

Shoot, looks like some keywords are blocked. After this I got stuck and went looking for an answer online, search up “Escaping Python Jails”. It guides as a way to use python built-ins functions to break out of it.

__builtins__.__dict__[‘__IMPORT__’.lower()](‘OS’.lower()).__dict__[‘SYSTEM’.lower()](‘cat /root/root.txt’)

Next run the python file as sudo and enter those very commands and..

WE GOT IT!

Submit those 2 flags and we are donezo.

Thank you for reading my writeup!