narancs's blog

TryHackMe – Break Out The Cage walkthrough

Break Out The Cage featured image

Introduction

This post is about the Break Out The Cage room on TryHackMe. It involves web enumeration, steganography, cryptography and Linux privilege escalation.

Enumeration

I started with an nmap scan to check open ports on the target.

FTP, SSH and HTTP services are running on their default ports. We can also see that Anonymous login is allowed on the FTP server.

FTP

On the FTP server we can find a file named dad_tasks with the following content:

				
					UWFwdyBFZWtjbCAtIFB2***skipped***aXp3bGtic2lkaXVzY3ds
				
			

If we put this into CyberChef, it can automatically detect that it is base64 encoded data.

The decoded text:

				
					Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.
Iz glww A ykftef.... Qj**********************************************wl
				
			

This looks like a ciphertext. I used online cipher identifier tools to find out the algorithm used, e.g.:

All 3 of the listed tools identifies this text as Vigenère cipher. However, for Vigenère cipher we need to find the key to be able to decipher the text.

Gobuster

While checking the file on the FTP server I was running a directory enumeration on the web server.

The result of gobuster:

Several directories were discovered. In the /auditions directory we can find an audio file. If we open it in Audacity and switch to spectogram view, we can see that the word “na********wo” was hidden in the file.

This is the key for the Vigenère cipher that we found earlier. I used CyberChef with the Vigenère Decode recipe to decipher the text.

Initial access

The first question of the room is ‘What is Weston’s password?’. The answer is in the last line of the deciphered text.

Now we know the username and the password, so we can SSH to the host.

The user is part of the cage group, so I checked if there are any interesting files that belong to this group. Meanwhile I also noticed that random broadcast messages are sent by the user cage.

The content of /opt/.dads_scripts/spread_the_quotes.py file:

				
					#!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random
lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)
				
			

What this script does:

  1. Reads the /opt/.dads_scripts/.files/.quotes file and stores the lines in a list
  2. Chooses a random quote from the list and assigns it to the “quote” variable
  3. Runs the wall command with the quote variable concatenated to it

So we can assume that this script is sending those broadcast messages with the wall command. It is executed every few minutes, probably with a cron job. We do not have write access to this file, but we have write access to the file that contains the quotes. This means that if we edit the quotes file, we can influence the following line of the script:

				
					os.system("wall " + quote)
				
			

For example, if the quote file would only contain a single line:

; touch /tmp/test

Then the command that would be executed:

wall ; touch /tmp/test

The wall command would be executed without arguments, then touch would be executed as a separate command. This way we can essentially run arbitrary commands as the user cage.

User flag

I used this method to run a reverse shell as cage on the target machine.

  1. Create a script file containing a bash reverse shell in /tmp
  2. Add executable permission to the file
  3. Modify the .quotes file, so it only contains 1 line that will start the reverse shell
  4. Start a netcat listener and wait for the connection

Now we have a shell as cage user. Checking the home directory we can find a file named Super_Duper_Checklist and a directory named email_backup. The Super_Duper_Checklist file contains the user flag.

Root flag

In the email_backup directory we can find 3 emails. The third email contains a strange string, that looks like a ciphertext. It is also interesting that the word “face” is repeated many times.

				
					From - Cage@nationaltreasure.com
To - Weston@nationaltreasure.com
Hey Son
Buddy, Sean left a note on his desk with some really strange writing on it. I quickly wrote
down what it said. Could you look into it please? I think it could be something to do with his
account on here. I want to know what he's hiding from me... I might need a new agent. Pretty
sure he's out to get me. The note said:
ha************ph
The guy also seems obsessed with my face lately. He came him wearing a mask of my face...
was rather odd. Imagine wearing his ugly face.... I wouldnt be able to FACE that!! 
hahahahahahahahahahahahahahahaahah get it Weston! FACE THAT!!!! hahahahahahahhaha
ahahahhahaha. Ahhh Face it... he's just odd. 
Regards
The Legend - Cage
				
			

The online cipher identifier tools mentioned earlier were not able to identify the correct cipher. It is most likely because the text is too short.

I tried to decipher it as a Vigenère cipher, using “face” as the keyword. It worked, and I got the root password as the output.

After switching to root I checked the files in the home directory. The root user has an email_backup directory as well. It contains 2 files. The root flag can be found in the second email.

				
					From - master@ActorsGuild.com
To - SeanArcher@BigManAgents.com
Dear Sean
I'm very pleased to here that Sean, you are a good disciple. Your power over him has become
strong... so strong that I feel the power to promote you from disciple to crony. I hope you
don't abuse your new found strength. To ascend yourself to this level please use this code:
THM{********************************}
Thank you
Sean Archer
				
			

Summary

In the Break Out The Cage CTF room I started to enumerate the target with nmap and gobuster. I was able to find an ecoded text file on the FTP server. Then I found a strange audio file on the web server in the /auditions directory. I used cryptography and steganography to find the password for weston user from these discovered files.

After gaining initial access to the system, I found an unsecure Python script that was being executed via cron job. I managed to exploit this script and escalate my privileges to cage user.

In the home directory of cage user, I found 3 emails. The third email contained the root password encoded with Vigenère cipher. I deciphered the root password and gained root access to the target.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x