Machine Info
Difficulty: Easy🟩
Link: HERE
Avg time: 45 Minutes
OS: Linux
Description: Help Cage bring back his acting career and investigate the nefarious goings on of his agent!
Recon
Casually nmap scan.
sudo nmap 10.114 188.39 -Pn -p- -sV -sC -T4 -n -oN scan.txt
Scan reveals:
- 21/tcp - FTP
- 22/tcp - SSH
- 80/tcp - HTTP
Shell as Weston
Logging to FTP as anonymous. Scan revealed file dad_tasks. Using get in FTP we can download it. Reading the file shows text encoded in base64.
Running this command decodes the string:
echo "STRING-HERE" | base64 -d
After decoding, it still looked weird and unreadable. It looks like a Caesar cipher or Vigenère.
Best tool for cipher identification is Cipher Identifier. It identifies the most probable cipher and even suggests decoding tools. After running it, the text is identified as Vigenère. Running it through the decode tool gives something almost readable, but words are stuck together due to no spaces. Go to CyberChef, select Vigenère decode, provide the identified key and paste the ciphered text.
Decoded text looks like:
There is a weird string. Maybe it's a password, but for who?
Going to the website hosted on port 80 reveals a pseudo diary. Reading it reveals a son named Weston. The note on FTP was written by Weston for his dad with an "In case I forget" message, so the weird string may be Weston's own password.
Trying to log in as Weston via SSH using this string as a password works.
Shell as Cage
At the beginning, pspy64 was transferred onto the machine and ran in a second terminal logged on the same machine. Then:
sudo -l
It shows that weston can run /usr/bin/bees as root.
After checking the file, it turned out it couldn't be edited and the script didn't ask for any input. It simply called wall with some hardcoded text. This script was a rabbit hole.
INFO:
wallstands for "write all", basically prints a message to every logged-in user with an open terminal.
While checking pspy64 output, a cronjob running as UID=1000 (Cage) was spotted, executing every 3 minutes.
After investigating /opt/.dads_scripts/spread_the_quotes.py, it turned out the script was concatenating a random quote with wall. It looked like this:
#!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random
lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)
The script was picking a random quote from /opt/.dads_scripts/.files/.quotes and concatenating it directly with the wall command. That file with quotes was writable. Since os.system("wall " + quote) passes the string straight to the shell, the file was overwritten with a payload that copies /bin/bash to /tmp/bash and sets the SUID bit on it:
echo "&& cp /bin/bash /tmp/bash && chmod +s /tmp/bash" > .quotes
After the cronjob fired again:
A Cage-privileged shell was obtained by running:
/tmp/bash -p
However, this gives a process running with Cage's privileges via SUID, not a full interactive shell. To get a proper shell, instead of generating a new SSH key, an existing private key was found at /home/cage/.ssh/id_rsa. Copying it and using it to connect over SSH gave a full, stable shell as Cage.
Flag located at: /home/cage/Super_Duper_Checklist
Shell as root, Vigenère in email (intended path)
Inside /home/cage/email_backup/email_3 there was a suspicious encoded string.
First tried Caesar. No shift made sense. Tried Vigenère and it cracked with key FACE. The decoded string turned out to be the root password. Logged in with:
su root
Flag located at: /root/email_backup/email_2
Shell as root, LXD (alternative path)
Running id after logging in as Cage:
User cage is part of the lxd group, which gives full control over the lxd tool. This allows creating a container where you are root and mounting the host filesystem inside it (same concept as docker group abuse).
Transfer an Alpine Linux image to the machine (Alpine builder), then run:
lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias alpine
lxd init
lxc init alpine [NAME-HERE]
The lxc exploit is a bit tedious to do manually. Use this script, transfer it to the machine and run:
./lxd_rootv1.sh [NAME-HERE]
If everything worked, running:
sudo su
should drop into a root shell without asking for a password.








Top comments (0)