Break Out the Cage.md
Table of Contents
Introduction
Author: Magna
Difficulty: Easy
Date Released: 6/14/2020
Topics Covered
- Enumeration
- Audio Steganography
- Python
- Linux Privilege Escalation
This was an Easy box developed by Magna on TryHackMe. I really enjoyed this box. There's quite a lot of little things to take note of and is a genuinely pleasant CTF experience. I got in my head a little bit and got lost on the user privesc but with a little hint from the community, I got it -- easy.
With that out of the way, let's go.
Quick Note: You may notice that I use different IPs as the target IP and that's because the OVPN file I was using was borked and I had to change regions to make it work the bset
Enumeration
We start out with our basic enumeration with nmap. For these boxes, I also like to create their own directory in my home to keep things nice and organized.
This creates some files in an nmap
directory if we need them later (which I most definitely will because I forget literally everything). Looking at the results, we see the following:
So, FTP, SSH and HTTP are open. This is pretty standard CTF fare. Let's start at the top and work our way down.
FTP Enumeration
We can login to ftp with ftp -p 10.10.205.225
. We can use anonymous
as the username since Anonymous login is enabled (from nmap results) and no password is required.
Once we login and do an ls
, we can see
So there's a file called dad_tasks
that we can download with get
. We download it to our directory and cat
it out.
UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds
Not sure what the %
is doing in there but maybe some newline or end of line character so we can probably ignore that. After some digging (and some help...) we figure out that this is Base64 encoded. So let's throw this into CyberChef.
It spits out some garbage that is still encoded so we can't fully decipher it yet. Let's keep going. Let's skip SSH and start enumerating HTTP
Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.
Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
HTTP Enumeration
So we can check out the website by going into our browser and typing in the room's IP address. Once we do we're greeted with this lovely webpage from the 90's.
Clicking each of the links does nothing so that's not it. So we check /robots.txt
...nothing. We check the source code...nothing. We use Dev Tools (I've actually had Page Source show different info than Dev Tools, so this is useful to do)...nothing. Nikto
! Nothing. Okay, fine! Let's run ffuf
and fuzz the webpage.
/scripts
, /contracts
, /images
, /auditions
were all just directory listings to download things from. After checking all of them, we come to /auditions
which contains a single .mp3 file. Let's curl -k http://10.10.205.225/auditions/must_practice_corrupt_file.mp3 -o corrupt.mp3
. This will download the mp3 to our folder. Let's take a listen
It clearly has something wrong with it. You can tell from the audio clip itself with the distortion and the filename itself literally has the word "corrupt" in it. We think this may contain some hidden information in it (it wouldn't be a CTF if it didn't) so let's download Sonic Visualizer, load up the file and play around with the settings a bit.
Using the following settings, we can see clearly that there's some text hidden in this mp3 file.
"namelesstwo". Hilarious, Magna.
Given this information and the ciphertext we found before, I think we have what we need to fully decode it.
Throwing in the ciphertext from before into Cyber Chef, still with the Base64 decode but this time with a Vignere Decode thrown in after, we enter the "namelesstwo" key and...BAM!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.
In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes
Looks like we just got an SSH password. Judging from the Tasks in the room, we can probably guess this is weston
's.
Initial Foothold
So we have weston
's SSH password. Let's log in with SSH now (this is where the target IP changed).
From the first initial commands we can see that there's no files or directories (that we can see) in /home/weston
.
We can run sudo -l
to see what we're able to run with sudo. Looks like we can run something in /usr/bin called bees
.
Now that's funny. While we're doing this, different Nicholas Cage quotes are showing up on screen
They seem to show up every 1-3 minutes or so, so we definitely know a cron job is running. Reading through Payloads All The Things, we come to the "Scheduled tasks" section. We see that the program pspy can be used to see running cron jobs. Let's download that and HTTP it over to the box. We can serve up the file from our current directory with
python -m SimpleHTTPServer 80
The file downloads successfully and we chmod +x
the file so we can run it. We run ./pspy64
and we're off to the races!
When I ran pspy
, the cronjob had just run so I had to wait a bit for it to fire again but after what felt like fivever, we see this
There's a .py
script running using Python and seemingly Bash as well (not sure why the redundancy). If we navigate on over to that directory and read out the script file, this is what it's doing.
It's reading a .quotes
file, picking one from it and then calling os.system()
. Using os.system()
is actually vulnerable code. Since this is running as a cronjob as the user cage
, we can insert our own malicious code to do what we want. In this case, we'll get a shell. I picked the Python one from Pentest Monkey.
Notice that I added a semicolon before the actual script. This is because if you remember from the spread_the_quotes.py
script, it's calling os.system("wall " + quote)
. This means that we need to terminate the first part and call our script from .quotes
(which is the only thing in the file).
Be sure to catch your shell!
And just like that, we're cage
.
Privilege Escalation
This is going to be super simple. If we look around, we see that there's a directory that seems to hold email backups. If we cat
out each one, we eventually make it to the 3rd one which gives us a huge clue.
That text again looks like ciphertext. Throw it in Cyber Chef again with a Vignere Decode.
Reading the rest of the email, we see the word "face" used a lot. After several attempts at a key, we finally get "FACE" as the key.
And just like that...
Boom.
Summary
Again, I really enjoyed this room. I think Magna did a great job with the clues and on how to get privesc. There were actually a lot of things during the initial foothold while I was looking for the privesc that I just didn't show because it was a lot. It would've made this a lot longer than it already is. But really, just try harder and you'll get there eventually.
Rating 10/10
As always...cya Cyber Cowboy.