Break Out The Cage
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Port 21: FTP
Anonymous login is allowed, so lets go check it out and download the files on the server
Lets read the file
Looks like its encrypted, lets crack it using CyberChef
It looks like it has been encrypted twice, lets find out what this says too.
This looks like a password, we can try logging into SSH but lets first check Port 80: HTTP
Port 80: HTTP
Looking at the page, we have a username: Weston
. None of the links on the page work, so lets gobuster
to find hidden directories.
There is nothing of interest in the /scripts
file, the /contracts
directory has an empty file. The auditions has a interesting file.
Lets download this to our machine
We can look at this file with a tool called Sonic Visualizer
, lets open the file in the app.
Now go to pane and then go to Add Spectrogram
click the first option , we are doing this to add a spectrogram so that we can look at hidden data.
We can see a box, lets see what is says.
After changing the color to get a better visual, we can see that it says namelesstwo
. Checking around I found out that this is the key for the vignenere cipher that we can use to crack the text we found before.
We have the same text we found before, lets login through ssh now with the username we found in the start Weston
.
As the password worked, we can answer the first question
Privilege Escalation
I was looking around when a message popped up.
It looks like there is a cronjob running that executes this script every few minutes, lets go find it. I was searching for a while and could not find it, so lets transfer a tool onto this machine called pspy and have it find the cron
file.
To transfer this file, lets start a http listener on our machine and download the file on the victim machine wget. If you just downloaded it, make sure to make it an executable.
Now lets start a http server.
Now lets download the file on the victims machine.
Lets make the file an executable
Now run the file.
Looking through the output we find an interesting file which may be the one we are looking for.
Lets check this file
Lets add a reverse shell to the file .quotes (As the .quotes file is being printed every few minutes) so that we can get a higher privileged user access, that is the owner of the file ./opt/.dads_scripts/.files/.quotes
cage
. We can see this when we look at the permissions of the file
The reverse shell we will be using is this
Lets echo the reverse shell into the file and start a netcat listener
After a while, you should get a reverse shell
Lets stabilize the shell
Lets read the file in this directory
We have the user flag.
Next lets cd into the email backup folder and read all the files
Looking through the files, the only interesting thing I found is the string in the third email and the number of times the word FACE
has been used, this might be something that will help us, now lets copy it and try to crack it using Cyber Chef.
So FACE
was actually the Key to crack this password, this is the password for the root account, lets switch users and read the root flag.
Last updated