Tokyo Ghoul

Tokyo Ghoul - THM


As always, start with scanning and looking at what is up against you. A mindful nmap scan should tell you that FTP allows for anonymous login (if you like to run different scans, remember to always check for this manually, you never know). Inside the directories there is a whole bunch of files to grab, be sure to catch them all (wink).

The binary can be analyzed with radare2. Analyze the check password function. Before calling strcmp it loads the parameters in rdi and rsi. In RDI there is what you insert as your password, in RSI the correct one. The password gives you the key to extract the message from the picture you found in FTP, it's steganography and steghide is a good option.

The extracted message is morse code, that translates to a hexadecimal code, which then you turn into base64 that FINALLY gives you the directory you are looking for.

There the hint is basically telling you to run a directory buster, which leads you to the page where you can make a decision. Take a good look at the url, seems like LFI. You try the usual trick and it doesn't work, but don't stop there. URL encode the whole thing and go check the usual file. With that (and some cracking) you have enough to get yourself a comfy shell with SSH.

Once you're in, grab your flag (rewards are an important part of the whole learning experience) and start to look around. You SHOULDN'T look too hard, it's right there. You can execute it as sudo, and it asks for some user input. Google is your friend when it comes to PYTHON JAILS and how to escape them. You should be able to run your usual command to get a shell, just a little revisited with underscores and some string manipulation, turning letters from upper to lowercase to avoid detection.


You'll only receive email when they publish something new.

More from emacab98
All posts