You've successfully subscribed to N0Sec
Great! Next, complete checkout for full access to N0Sec
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.
Break Out the Cage.md

Break Out the Cage.md

Table of Contents

Introduction

Author: Magna
Difficulty: Easy
Date Released: 6/14/2020

Topics Covered

  1. Enumeration
  2. Audio Steganography
  3. Python
  4. Linux Privilege Escalation

This was an Easy box developed by Magna on TryHackMe. I really enjoyed this box. There's quite a lot of little things to take note of and is a genuinely pleasant CTF experience. I got in my head a little bit and got lost on the user privesc but with a little hint from the community, I got it -- easy.

With that out of the way, let's go.

Quick Note: You may notice that I use different IPs as the target IP and that's because the OVPN file I was using was borked and I had to change regions to make it work the bset

go

Enumeration

We start out with our basic enumeration with nmap. For these boxes, I also like to create their own directory in my home to keep things nice and organized.

initial scan

This creates some files in an nmap directory if we need them later (which I most definitely will because I forget literally everything). Looking at the results, we see the following:

nmap results

So, FTP, SSH and HTTP are open. This is pretty standard CTF fare. Let's start at the top and work our way down.

FTP Enumeration

We can login to ftp with ftp -p 10.10.205.225. We can use anonymous as the username since Anonymous login is enabled (from nmap results) and no password is required.

ftp login

Once we login and do an ls, we can see

ftp files

So there's a file called dad_tasks that we can download with get. We download it to our directory and cat it out.

dad_tasks

UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds

Not sure what the % is doing in there but maybe some newline or end of line character so we can probably ignore that. After some digging (and some help...) we figure out that this is Base64 encoded. So let's throw this into CyberChef.

It spits out some garbage that is still encoded so we can't fully decipher it yet. Let's keep going. Let's skip SSH and start enumerating HTTP

Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.

Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

HTTP Enumeration

So we can check out the website by going into our browser and typing in the room's IP address. Once we do we're greeted with this lovely webpage from the 90's.

cage page

Clicking each of the links does nothing so that's not it. So we check /robots.txt...nothing. We check the source code...nothing. We use Dev Tools (I've actually had Page Source show different info than Dev Tools, so this is useful to do)...nothing. Nikto! Nothing. Okay, fine! Let's run ffuf and fuzz the webpage.

ffuf

/scripts, /contracts, /images, /auditions were all just directory listings to download things from. After checking all of them, we come to /auditions which contains a single .mp3 file. Let's curl -k http://10.10.205.225/auditions/must_practice_corrupt_file.mp3 -o corrupt.mp3. This will download the mp3 to our folder. Let's take a listen

mp3 audio

It clearly has something wrong with it. You can tell from the audio clip itself with the distortion and the filename itself literally has the word "corrupt" in it. We think this may contain some hidden information in it (it wouldn't be a CTF if it didn't) so let's download Sonic Visualizer, load up the file and play around with the settings a bit.

Using the following settings, we can see clearly that there's some text hidden in this mp3 file.

hidden image in mp3

"namelesstwo". Hilarious, Magna.

haha

Given this information and the ciphertext we found before, I think we have what we need to fully decode it.

Throwing in the ciphertext from before into Cyber Chef, still with the Base64 decode but this time with a Vignere Decode thrown in after, we enter the "namelesstwo" key and...BAM!!

One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.

In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes

Looks like we just got an SSH password. Judging from the Tasks in the room, we can probably guess this is weston's.

Initial Foothold

So we have weston's SSH password. Let's log in with SSH now (this is where the target IP changed).

weston ssh

From the first initial commands we can see that there's no files or directories (that we can see) in /home/weston.

We can run sudo -l to see what we're able to run with sudo. Looks like we can run something in /usr/bin called bees.

bees!
bees2

Now that's funny. While we're doing this, different Nicholas Cage quotes are showing up on screen

quotes

They seem to show up every 1-3 minutes or so, so we definitely know a cron job is running. Reading through Payloads All The Things, we come to the "Scheduled tasks" section. We see that the program pspy can be used to see running cron jobs. Let's download that and HTTP it over to the box. We can serve up the file from our current directory with

python -m SimpleHTTPServer 80

The file downloads successfully and we chmod +x the file so we can run it. We run ./pspy64 and we're off to the races!

pspy

oh ya

When I ran pspy, the cronjob had just run so I had to wait a bit for it to fire again but after what felt like fivever, we see this

pspy results

There's a .py script running using Python and seemingly Bash as well (not sure why the redundancy). If we navigate on over to that directory and read out the script file, this is what it's doing.

python script file

It's reading a .quotes file, picking one from it and then calling os.system(). Using os.system() is actually vulnerable code. Since this is running as a cronjob as the user cage, we can insert our own malicious code to do what we want. In this case, we'll get a shell. I picked the Python one from Pentest Monkey.

py reverse shell

Notice that I added a semicolon before the actual script. This is because if you remember from the spread_the_quotes.py script, it's calling os.system("wall " + quote). This means that we need to terminate the first part and call our script from .quotes (which is the only thing in the file).

Be sure to catch your shell!

nc catch

And just like that, we're cage.

Privilege Escalation

This is going to be super simple. If we look around, we see that there's a directory that seems to hold email backups. If we cat out each one, we eventually make it to the 3rd one which gives us a huge clue.

email_3

That text again looks like ciphertext. Throw it in Cyber Chef again with a Vignere Decode.

Reading the rest of the email, we see the word "face" used a lot. After several attempts at a key, we finally get "FACE" as the key.

FACE

And just like that...

root

Boom.

Summary

Again, I really enjoyed this room. I think Magna did a great job with the clues and on how to get privesc. There were actually a lot of things during the initial foothold while I was looking for the privesc that I just didn't show because it was a lot. It would've made this a lot longer than it already is. But really, just try harder and you'll get there eventually.

Rating 10/10

As always...cya Cyber Cowboy.

Spike