BOOK THIS SPACE FOR AD
ARTICLE ADToday we’re going to solve another boot2root challenge called “Tokyo Ghoul “. It’s available at TryHackMe for penetration testing practice. This lab is of medium difficultly if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to devalfo and rockyou.txt. Let’s get started and learn how to break it down successfully.
Disclaimer: This Machine contains spoilers for the Tokyo Ghoul Anime and Manga.
Level: Medium
Penetration Testing Methodology
Network Scanning Nmap Enumeration Browsing HTTP Service Enumerating Source Code Enumerating FTP Service Enumerating Executable using Strings Enumerating Image File using Steghide Decoding Morse Code Decoding Hexadecimal Decoding Base64 Directory Bruteforce using Dirb Exploitation Exploiting Local File Inclusion Extracting User Hash Cracking User Hash using John the Ripper Logging in via SSH Reading User Flag Privilege Escalation Enumerating Sudo Permissions Escaping Python Jail using built-in modules Exploiting Sudo Permissions on Python Script Getting Root Shell Reading Root FlagWalkthrough
To read and understand what the machine is, we will be starting with reading the Lab Description:
“Help kaneki escape jason room”
“This room took a lot of inspiration from psychobreak , and it is based on Tokyo Ghoul anime.”
After Booting up the machine from the TryHackMe: Tokyo Ghoul Page, we will be provided with a Target IP Address.
IP Address: 10.10.43.18
This room has 2 flags that we need to find to complete the Machine. Although there are multiple questions or tasks that we need to perform. We will answer those tasks as we go through them.
Task 1: About the room
1. Read the aboveNo answer needed
2. Deploy the machineNo answer needed
Network Scanning
We will start with a nmap scan with -sC for Default Scripts and -sV for Scanning Versions.
Nmap was able to identify 3 services running on the target machine. It included FTP (21), SSH (22) and HTTP (80). Nmap was kind enough to check the FTP service for Anonymous Login and it told us that there is a directory by the name of need_Help? Hosted on FTP server which is accessible through Anonymous Login. We will get back to that. The SSH Service is not accessible due to a lack of credentials. At last, we have the HTTP Service hosting some webpage.
Enumeration
The webpage describes the story of Ken Kaneki a High School Teenager who went on a date with a girl Rize Kamishiro. She turned out to be a ghoul and started consuming Kaneki. But something falls on her and she is knocked out. Kaneki escapes to the hospital where he is captured by Jason. Jason used Kaneki for harvesting his organs. This is pretty dark if you ask me. Anyhow reading this possibly gave us some words that can either be directories or users on the machine. We have the Ken, Kaneki, Rize, Kamishiro and Jason. The webpage has a link that is to be used to save Kaneki from Jason. Clicking on it leads to another page.
Task 2: Where am i?
1. Use nmap to scan all portsNo answer needed
2. How many ports are open?3
3. What is the OS used?Ubuntu
This page is called jasonroom.html. It contained a gif of Jason injecting Kaneki of some fluid. Tried to find some link or anything other than the gif on the page but we were unsuccessful. Inspecting the gif also resulted into a dead end. This is where it hit me to check the source code of the webpage.
Task 3: Planning to escape
1. Did you find the note that the others ghouls gave you? where did you find it?jasonroom.html
http://10.10.43.18/jasonroom.html |
There is a comment on the webpage. It tells us that there is a way to escape Jason. Notes further tell us that there is a mask that makes us look Anonymous and it tells us to go to the FTP room. That is a lame hint. We already know that anonymous login is enabled on the FTP. Time to enumerate the FTP.
view-source:http://10.10.43.18/jasonroom.html |
Logging in on the FTP service we have the need_Help? Directory. It contained a text file (Aogiri_tree.txt) and another directory (Talk_with_me). We download the text file to our local system for a closer look and then we traversed into the Talk_with_me directory. It contained an executable binary need_to_talk and an image rize_and_kaneki.jpg. We download both of them to our local machine for further inspection.
ftp 10.10.43.18 anonymous ls cd need_Help? ls get Aogiri_tree.txt cd Talk_with_me ls get need_to_talk get rize_and_kaneki.jpg |
We read the Aogiri_tree.txt file. This seemed a message to Kaneki describing that Rize is now a part of Kaneki and Kaneki has her Kagune. It asks Kaneki to get control of his body and it also tells Kaneki that he is a part of Aogiri tree. Now we add two other words to our original notes. Kagune and Aogiri.
Another file that we downloaded from the FTP server is an image of Rize and Kaneki. We looked it in the Image Viewer and checked its details using the Exif tool. No important information recovered. This made us realize that it is possible that is a compressed file. That means we need to use steghide to extract it. We tried and told us that there is a password that needs to be entered in order to extract files inside the rize_and_kaneki.jpg.
Now we need to enumerate the password. We upgraded the permissions of the need_to_talk executable to run it on our local machine. It tells us that it will give us the kagune which we can only assume is the password for extracting files from the image. But in order to cough up the password, it requires us to enter a keyword. The puzzle inside a puzzle. Nice! We entered a password. Of course, it is not the correct keyword but it gave us a hint. It asks us to take a look inside the executable. There are a bunch of tools to take a look inside the executable such as rabin2 which it hints us to use, or we can use ltrace to, but the simplest of all is the strings. Let’s test strings first.
chmod 777 need_to_talk ./need_to_talk |
Strings command extracts the human-readable words from the machine code. Now, as the executable asks for a particular keyword. It is possible that it might be running a string compare to the word and the word might exist inside the binary code. We see that Kamishiro exists inside the code. It was one of the words of interest that we are extracting from the beginning of the walkthrough too.
2. What is the key for Rize executable?
kamishiro
3. Use a tool to get the other note from Rize.No answer needed
We run the executable again. This time when asked for a keyword, we typed in Kamishiro. It tells us that we came for “You_found_1t”. Really! It seems like the author is not even trying to name files properly. Still, this seems like a troll and also a password that might extract data from the image.
As we entered the You_found_1t while extracting the contents from the rize_and_kankeki.jpg. It extracts a text file “yougotme.txt”. Wow! such a talent naming files. Time to read the yougotme.txt. It mocks us for our smartness but then proceeds to give the most easily recognizable encoding language in the world. Morse Code. It hints that if we decode the Morse, we can get a directory.
steghide extract -sf rize_and_kaneki.jpg cat yougotme.txt |
We searched for a Morse Code decoder online. Because we are not dense enough to resort to converting each dot and dashes. Any how it gets converted into a weird string. This string however looks too familiar.
We went on the asciitohex website and entered the string in the Hexadecimal section. It gets converted into another string. The == tells us this is Base64.
Copying the sting and pasting inside the Base64 section we get ourselves the secret directory convincedly named d1r3c70ry_center.
Task 4: What Rize is trying to say?
1. What the message mean did you understand it? what it says?d1r3c70ry_center
2. Can you see the weakness in the dark? no? just searchNo answer needed
3. What did you find something? crack itNo answer needed
We tried to browse the d1r3c70ry_center by carefully placing it next to the IP address of the target machine. It gave us this image of a character who is asking that we scan him. We will not disappoint him. There are a bunch of scans that we can do here.
http://10.10.43.18/d1r3c70ry_center/ |
We decided to start with a dirb scan or a Directory Bruteforce. We used the common.txt as a wordlist for our scan. This gave us a directory by the name of the claim.
dirb http://10.10.43.18/d1r3c70ry_center/ |
Browsing the claim directory, we are greeted Welcome Kaneki Ken. It asks us a question if we really want the power? Are we going to accept this ghoul power? A simple yes and no question with yes and no buttons. We click on both sequentially to see what happens.
http://10.10.43.18/d1r3c70ry_center/claim/ |
We are directed to viewing a gif. However, the gif was browsed using the view parameter. This makes us so eager to try Local File Inclusion.
http://10.10.43.18/d1r3c70ry_center/claim/index.php?view=flower.gif |
Exploitation
We think the author of the machine has anticipated that as well. It politely asks us not to do it.
http://10.10.43.18/d1r3c70ry_center/claim/index.php?view=../../../../etc/passwd |
But we are not going to back down so easily. We tried entering just dots and then with backslashes. This is where we see that it is restricting the backslashes. So, we encoded them and tried to browse the etc/passwd file again and this time we got success. We got the username and password hash. The user we will be using would be Kamishiro.
4. what is Rize username?kamishiro
http://10.10.43.18/d1r3c70ry_center/claim/index.php?view=%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd |
We copied the hash and pasted it into a file name hash. I think the author has rubbed us off that lazy file naming characteristic. Anyways, we tried to crack the hash using John the Ripper. The wordlist we decided to use was rockyou.txt. The password cracked in mere seconds and came out to be password123. This is where I felt the most trolled by the author of the machine.
5. what is Rize password?password123
nano hash john --wordlist=/usr/share/wordlists/rockyou.txt hash |
Time to connect to the target machine as Kamishiro user. Lucky for us there were not any new rabbit holes and we got the first flag on the machine i.e., User Flag.
Task 5: Fight Jason
1. user.txt###############################
ssh kamishiro@10.10.43.18 ls cat user.txt |
Privilege Escalation
We need to enumerate the machine to find a way to elevate this shell to a root shell. We started by checking the sudo permissions for Kamishiro user. We see that we have a python script by the name of jail.py that we can run as root.
During our hunt for user flag, we saw that jail.py exists in the current directory. Let’s take a look under the hood of this script to see its working. The script starts with a bunch of strings. Then it asks the user for input. But this input is then checked for keywords like ‘eval’, ‘exec’, ‘import’, ‘open’, ‘os’, ‘read’, ‘system’ and ‘write’. This means that we are restricted to execute any reverse shell script or bash script to get root. We need to get a bit creative here.
We needed a way to execute a command while evading the checks. Python allows us to define built-in objects as __builtins__modules. So instead of using import or os we will use __IMPORT__ and OS. We could have been at it to create a proper script and try it again and again on the script. But instead of reinventing the wheel, we decided to search for Python Jails and we got this article which has created the command that works to read a file. We modified it to invoke a shell. Since it is possible to run this script as root using sudo the shell that it will generate will be of root as well. After executing the script and providing the builtins command we got the root shell. Traversing inside the root directory we found the final flag i.e., Root Flag.
2. root.txt###############################
Task 6: Special thanks
1. Congratulations you’ve complete Tokyo ghoul room 1No answer needed
sudo /usr/bin/python3 /home/kamishiro/jail.py __builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash') id cd /root ls cat root.txt |
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn