Break Out the Cage.md
Table of Contents
- Initial Foothold
- Privilege Escalation
Date Released: 6/14/2020
- Audio Steganography
- Linux Privilege Escalation
This was an Easy box developed by Magna on TryHackMe. I really enjoyed this box. There's quite a lot of little things to take note of and is a genuinely pleasant CTF experience. I got in my head a little bit and got lost on the user privesc but with a little hint from the community, I got it -- easy.
With that out of the way, let's go.
Quick Note: You may notice that I use different IPs as the target IP and that's because the OVPN file I was using was borked and I had to change regions to make it work the bset
We start out with our basic enumeration with nmap. For these boxes, I also like to create their own directory in my home to keep things nice and organized.
This creates some files in an
nmap directory if we need them later (which I most definitely will because I forget literally everything). Looking at the results, we see the following:
So, FTP, SSH and HTTP are open. This is pretty standard CTF fare. Let's start at the top and work our way down.
We can login to ftp with
ftp -p 10.10.205.225. We can use
anonymous as the username since Anonymous login is enabled (from nmap results) and no password is required.
Once we login and do an
ls, we can see
So there's a file called
dad_tasks that we can download with
get. We download it to our directory and
cat it out.
Not sure what the
% is doing in there but maybe some newline or end of line character so we can probably ignore that. After some digging (and some help...) we figure out that this is Base64 encoded. So let's throw this into CyberChef.
It spits out some garbage that is still encoded so we can't fully decipher it yet. Let's keep going. Let's skip SSH and start enumerating HTTP
Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!! Sfw. Kajnmb xsi owuowge Faz. Tml fkfr qgseik ag oqeibx Eljwx. Xil bqi aiklbywqe Rsfv. Zwel vvm imel sumebt lqwdsfk Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf. Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
So we can check out the website by going into our browser and typing in the room's IP address. Once we do we're greeted with this lovely webpage from the 90's.
Clicking each of the links does nothing so that's not it. So we check
/robots.txt...nothing. We check the source code...nothing. We use Dev Tools (I've actually had Page Source show different info than Dev Tools, so this is useful to do)...nothing.
Nikto! Nothing. Okay, fine! Let's run
ffuf and fuzz the webpage.
/auditions were all just directory listings to download things from. After checking all of them, we come to
/auditions which contains a single .mp3 file. Let's
curl -k http://10.10.205.225/auditions/must_practice_corrupt_file.mp3 -o corrupt.mp3. This will download the mp3 to our folder. Let's take a listen
It clearly has something wrong with it. You can tell from the audio clip itself with the distortion and the filename itself literally has the word "corrupt" in it. We think this may contain some hidden information in it (it wouldn't be a CTF if it didn't) so let's download Sonic Visualizer, load up the file and play around with the settings a bit.
Using the following settings, we can see clearly that there's some text hidden in this mp3 file.
"namelesstwo". Hilarious, Magna.
Given this information and the ciphertext we found before, I think we have what we need to fully decode it.
Throwing in the ciphertext from before into Cyber Chef, still with the Base64 decode but this time with a Vignere Decode thrown in after, we enter the "namelesstwo" key and...BAM!!
One. Revamp the website Two. Put more quotes in script Three. Buy bee pesticide Four. Help him with acting lessons Five. Teach Dad what "information security" is. In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes
Looks like we just got an SSH password. Judging from the Tasks in the room, we can probably guess this is
So we have
weston's SSH password. Let's log in with SSH now (this is where the target IP changed).
From the first initial commands we can see that there's no files or directories (that we can see) in
We can run
sudo -l to see what we're able to run with sudo. Looks like we can run something in /usr/bin called
Now that's funny. While we're doing this, different Nicholas Cage quotes are showing up on screen
They seem to show up every 1-3 minutes or so, so we definitely know a cron job is running. Reading through Payloads All The Things, we come to the "Scheduled tasks" section. We see that the program pspy can be used to see running cron jobs. Let's download that and HTTP it over to the box. We can serve up the file from our current directory with
python -m SimpleHTTPServer 80
The file downloads successfully and we
chmod +x the file so we can run it. We run
./pspy64 and we're off to the races!
When I ran
pspy, the cronjob had just run so I had to wait a bit for it to fire again but after what felt like fivever, we see this
.py script running using Python and seemingly Bash as well (not sure why the redundancy). If we navigate on over to that directory and read out the script file, this is what it's doing.
It's reading a
.quotes file, picking one from it and then calling
os.system() is actually vulnerable code. Since this is running as a cronjob as the user
cage, we can insert our own malicious code to do what we want. In this case, we'll get a shell. I picked the Python one from Pentest Monkey.
Notice that I added a semicolon before the actual script. This is because if you remember from the
spread_the_quotes.py script, it's calling
os.system("wall " + quote). This means that we need to terminate the first part and call our script from
.quotes (which is the only thing in the file).
Be sure to catch your shell!
And just like that, we're
This is going to be super simple. If we look around, we see that there's a directory that seems to hold email backups. If we
cat out each one, we eventually make it to the 3rd one which gives us a huge clue.
That text again looks like ciphertext. Throw it in Cyber Chef again with a Vignere Decode.
Reading the rest of the email, we see the word "face" used a lot. After several attempts at a key, we finally get "FACE" as the key.
And just like that...
Again, I really enjoyed this room. I think Magna did a great job with the clues and on how to get privesc. There were actually a lot of things during the initial foothold while I was looking for the privesc that I just didn't show because it was a lot. It would've made this a lot longer than it already is. But really, just try harder and you'll get there eventually.
As always...cya Cyber Cowboy.