TryHackMe — Tokyo Ghoul

4 min readJun 28, 2021

https://tryhackme.com/room/tokyoghoul666

Summary

This machine has a bit of everything! Its time consuming but fun! Start with nmap scan on all ports which leads to defaults on 80, 21 and 22. Navigating to landing page on 80 view note in source and gain access to FTP server with Anonymous credentials. Reversing the exfiltrated executable from FTP we are given a password. Using this password “stenographically” extract yougotme.txt from FTP exfiltrated image. Reading this file gives us a code when decrypted gives access to secret directory. Webpage has two options both point to same file. Catching this request with burp use path traversal to exploit LFI and obtain user hash. Using the credentials cracked with hashcat SSH to machine and gain foothold and user flag. Using sudo permissions jail break a python script to drop root shell and obtain root flag.

Action

Nmap Scan Results:

Landing page on 80:

Viewing source gives a clue:

Reverse ELF downloaded via FTP and see the following messages as comments:

Set a breakpoint before jump at variable compare and pull with loaded password:

Note: this could have been done faster using ltrace v/s radare2.. but doesn’t look as cool! ;)

Use exfiltrated password & run the binary:

Use password from ELF to extract data from image:

View the file. Looks like Morse code:

Decode
From Morse, From hex From base64:

Adding “secret directory” to known domain receive the following:

Think we should listen and run a gobuster scan..

Loading the page:

Options at the top, yes and no, both go to the same page. Seeing the path in the browser search window leads me to believe this webpage might be vulnerable to path traversal and consequentially LFI bypass.

Catch request in burp and verify path traversal