deusx:~#

Going Beyond the Firewall.

View on GitHub

Tokyo Ghoul

Help kaneki escape jason room

Task 1: About the room

 

wzebi dyalmn????

This room took a lot of inspiration from psychobreak , and it is based on Tokyo Ghoul anime.

Alert: This room can contain some spoilers ‘only s1 and s2 ‘ so if you are interested to watch the anime, wait till you finish the anime and come back to do the room 

The machine will take some time, just go grab some water or make a coffee.

This room contains some non-pg13 elements in the form of narrative descriptions. Please proceed only at your own comfort level.

Task 2: Where am i?

Use nmap to scan all ports

Nmap scan:

nmap -sCV -A -p- -T4 --min-rate=1000 IP -oN scan

How many ports are open ?

What is the OS used ?

Task 3: Planning to escape

Try to look around any thing would be useful .

Did you find the note that the others ghouls gave you? where did you find it ?

Navigate to the website running on port 80:

Checking the page source, we have a comment telling us to login as anonymous via ftp.

<!-- look don't tell jason but we will help you escape we will give you the key to open those chains and here is some clothes to look like us and a mask to look anonymous and go to the ftp room right there -->

We can take a loot at the link on the website:

It takes us to a webpage jasonroom.html

Checking the source, we find a similar comment like before:

<!-- look don't tell jason but we will help you escape , here is some clothes to look like us and a mask to look anonymous and go to the ftp room right there you will find a freind who will help you -->

Answer: jasonroom.html

Anonymous login allowed on the FTP server, which means we can login with the username anonymous and no password.

Login and download all files in all directories:

We have a note, a linux executable and a jpeg file.

What is the key for Rize executable?

Next up is to give the executable file executable permission so we can run it.

chmod +x file (add executable permission)
./file (run the file)

As we can see it is requesting for a passphrase which we don’t know yet. At the end of the message it says to “look inside of me”, so let’s cat the file:

We can see a word kamishiro which could be the potential passphrase because when we run the executable it starts with “Hey Kaneki” and not “KamishiroHey Kaneki”. So the word “kamishiro” is probably the passphrase, let’s try it.

It works and we got a passphrase You_found_1t

Use a tool to get the other note from Rize .

We also obtained a picture, we can try checking for any hidden information in it using stenography tools like Steghide.

steghide extract -sf file

Enter the passphrase You_found_1t when prompted and we get a note.

Task 4: What Rize is trying to say?

You should help me , i can’t support pain aghhhhhhh

What the message mean did you understand it ? what it says?

Checking the contents of the file, we have what looks like Morse code. We can decode it using dcode

From Morse code to Hex:

Morse - Hex:

Hex - Base64:

Base64 to Plaintext:

Can you see the weakness in the dark ? no ? just search

Navigate to the directory d1r3c70ry_center on the website

Performing a directory bruteforce SCAN, we can find a directory /claim

Selecting YES or NO takes us to a blank page but looking at the url we have index.php?view=flower.gif This seems to be getting the file flower.gif. We could for possible LFI (local file inclusion).

Trying to view the /etc/passwd file as a common test for LFI, we get this message:

It seems there is some sort of filter in place, therefore we can try using a PHP LFI filter bypass. Tried using some payloads from this site but none worked until i modified a payload to only encode the dots and slashes and it worked.

We are able to read contents of /etc/passwd.

What did you find something ? crack it

We are also able to obtain a username kamishiro and a password hash:

We can try to crack the hash. Place the entire thing in a file

I will use hashcat to crack it.

Checking this site, we can get the hashcat mode for the hash:

what is rize password ?

Now to crack it:

hashcat -m 1800 hash.txt /usr/share/wordlists/rockyou.txt

Task 5: Fight Jason

Finnaly i got Rize kagune help me fight Jason and get root .

Now with a username and password, we can login as the user kamishiro via ssh

user.txt

root.txt

Checking sudo privileges:

The owner of the jail.py script is root and wr can run it with sudo.

with sudo. Let’s see the contents of the script.

This script accepts user input and if the input contains any of those keywords it won’t execute.

So we have to find a way to spawn a shell without using any of those keywords.

Searching on google on “how to escape python jail” took me to this blog post and i was able to read the root.txt file to get the flag.

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat file.txt')

OR

We can spawn a bash shell /bin/bash as root:

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash')

The End.