TryHackMe | Toyko Ghoul
Warning: This room contains some non-pg13 elements in the form of narrative descriptions. Please proceed only at your own comfort level.
Q1: Use nmap to scan all ports
nmap -T5 -vvv -p- $ip
Q2: How many ports are open ?
The nmap scan will reveal all the ports…. it will take a little bit.
Q3: What is the OS used ?
Q4: Did you find the note that the others ghouls gave you? where did you find it ?
First take a look at the webpage and then the source
Lets log in to the ftp server as anonymous
Look at all the directories we find the following files and download them to our attack machine
FILE: Aogiri_tree.txtWhy are you so late?? i've been waiting for too long .
So i heard you need help to defeat Jason , so i'll help you to do it and i know you are wondering how i will.
I knew Rize San more than anyone and she is a part of you, right?
That mean you got her kagune , so you should activate her Kagune and to do that you should get all control to your body , i'll help you to know Rise san more and get her kagune , and don't forget you are now a part of the Aogiri tree .
strings need_to_talkwill give us a little insight as to what the program is doing
Lets run the program and see what we can come up with now that we have the needed information..
We seem to have received a password or passphrase after providing the correct passphrase in the binary. I figured that there might be something hidden in the image we pulled down.
Ok, it looks like some morse encodding, and doesn’t look like it’s plain english time to go to cyberchef.
Now we can navigate to the “directory” but it looks like we still have some work to do.
Scanning the directory with gobuster reveals another directory
Now that we have the directory we can go to another page that after some poking around shows there may be a possible LFI or command injection.
I was either getting an error message or a troll of some sort. Lets hope it’s an error and I’m looking in the correct spot.
… I spent over a day stuck here!
After a few rabbit holes and a lot of for loops I finally figured it out
Lets see if john can crack the password
SSH to host with the username and craced password and get user.txt
Now to try and escalate to root
We are allowed sudo access to run
#-*- coding:utf-8 -*-
print("Hi! Welcome to my world kaneki")
print("What ? You gonna stand like a chicken ? fight me Kaneki")
text = input('>>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
if keyword in text:
print("Do you think i will let you do this ??????")
print('No Kaneki you are so dead')
if __name__ == "__main__":
I wasn’t even close to smart enough to figure this one out. But a little bit of searching python jail escaping and I was in luck.