TryHackMe -Tokyo Ghoul -Write Up
Hello guys, here I will show you how to help kaneki escape jason room and obtain the flags
#root@kali: Machine Information
Room : Tokyo Ghoul
Info: Security, web, hash, Encoding
Difficulty: MEDIUM
Maker : devalfo and rockyou.txt
#TASK 1: About the room
This room took a lot of inspiration from psychobreak , and it is based on Tokyo Ghoul anime.
Alert: This room can contain some spoilers ‘only s1 and s2 ‘ so if you are interested to watch the anime, wait till you finish the anime and come back to do the room
The machine will take some time, just go grab some water or make a coffee.
This room contains some non-pg13 elements in the form of narrative descriptions. Please proceed only at your own comfort level.
Q1. Read the above -Completed
Q2. Deploy the machine -Completed
#TASK 2: Where am I?
Doing a Nmap scan of the machine will allow us to answer the following questions in this task
$ nmap -sC -sV -Pn -oA <machine ip> -vv
$ How many ports are open?
From the above scan, we can determine the number of ports open
Answer : [REDACTED]
$ What is the OS used?
From the above scan, we can also determine the OS of the machine
Answer : [REDACTED]
#TASK 3: Planning to escape
$ Did you find the note that the others ghouls gave you? where did you find it?
I open the ip of the machine on my browser and used inspect element and got the flag
Answer : [REDACTED]
On opening the link it will redirect you to another webpage
I used inspect element to read the code of that webpage
On reading the code it says to log in as FTP using its default credentials; let’s try that out
$ ftp <machine ip>
we successfully logged in with the default credentials!
now we can transfer all the data from the FTP to our system using the get
command
$ get <filename>
$ What is the key for Rize executable?
There was an executable file that I received from the FTP server
I tried to execute that file, but it asked for a value so I entered any random value
After executing it will gives a hint; so I tried going with that and found the flag for this question
Answer : [REDACTED]
$ Use a tool to get the other note from Rize.
After receiving the key I once again tried to run the file using the key, And Bingo it worked and it gave me a password!
There was a .jpg
file I got from the FTP server
The only thing which came to my mind was steghide
$ steghide — extract -sf filename.jpg
BINGO! We got a text file
I opened the file and there was morse code written inside it
I used more code translator and it shot me up with another encoded message which seemed like hexadecimal then base64
So, I opened CyberChef to decode the message
#TASK 4: What Rize is trying to say?
You should help me , i can’t support pain aghhhhhhh
$ What the message mean did you understand it ? what it says?
The flag is the message we decoded above
Answer : [REDACTED]
The flag for the previous question seems like a directory path; let's try that out
On the webpage, it says scan me, so I used dir gobuster
and scanned for any other hidden dir
$ gobuster dir -u <url> -w /usr/share/dirb/wordlists/common.txt
Bingo! We found another dir; let's open that
$ Can you see the weakness in the dark? no ? just search
Answer : [Completed]
After I opening it, I clicked the yes option, and then by looking at the URL it seemed like we can use LFI here; so I tried to read the /etc/passwd
file
?view=../../../../../../../../../../..//etc/passwd
It didn't work let's try it by encoding the URL once again
?view=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd
Bingo! It worked and we are able to read /etc/passwd
file
Let's crack the hash using John with the rockyou.txt wordlist (the path will differ for everyone)
$ john hash.txt --wordlist=rockyou.txt
We got the password!
$ Can you see the weakness in the dark ? no ? just search
Answer : [Completed]
$ What is rize username ?
We already found the username above
Answer : [REDACTED]
$ What is rize password ?
We found the password by cracking the hash
Answer : [REDACTED]
#TASK 5: Fight Jason
Finnaly i got Rize kagune help me fight Jason and get root .
Let's try to ssh to the IP address of the machine which the credentials we received
$ ssh user@ip
Success! we logged on :)
$ What is user.txt
The flag for the user is in the user directory
Answer : [REDACTED]
$ What is root.txt
let's check what privileges this user has by the following command
$ sudo -l
It has a python jail file that can be executed; possibly could help us read the final flag
I did a quick search on google if there could be any exploit for that program that would allow me to read the root.txt
file
And Bingo! I found a blog that had the exploit code
let's try it out
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /root/root.txt')
Yesssssss!! We got the final root flag!!! Room Completed!
Answer : [REDACTED]
#TASK 6: Special thanks
You can contact me on my discord : 0UR4N05#6231
Congratulations you’ve complete Tokyo ghoul room 1. This is the first room I’ve ever created so If you enjoyed it please give me a follow up on twitter and send me your feedback in twitter or discord , and i’ll be so grateful if you like this room and share it with your friends , thank you .
$ Thank you
Answer : [COMPLETED]
#root@kali: Links used to complete this machine
#root@kali: Room Completed
This was a really fun room to solve. Needed different techineques to solve the box and get root. If you have any suggestions to make you can feel free to hit me up on telegram or on Twitter
I will be uploading the write-ups of other rooms very soon
It would be great if you would clap or share this write-up!
#root@kali: My Contacts
THM: https://tryhackme.com/p/biscuit
Twitter: https://twitter.com/bhaskarpal__
Telegram: https://telegram.me/xBiscuit0