DEV Community

Laach_
Laach_

Posted on • Edited on

Break Out The Cage - THM

Machine Info

Difficulty: Easy🟩
Link: HERE
Avg time: 45 Minutes
OS: Linux

Description: Help Cage bring back his acting career and investigate the nefarious goings on of his agent!

Recon

Casually nmap scan.

sudo nmap 10.114 188.39 -Pn -p- -sV -sC -T4 -n -oN scan.txt
Enter fullscreen mode Exit fullscreen mode

Nmap scan

Scan reveals:

  • 21/tcp - FTP
  • 22/tcp - SSH
  • 80/tcp - HTTP

Shell as Weston

Logging to FTP as anonymous. Scan revealed file dad_tasks. Using get in FTP we can download it. Reading the file shows text encoded in base64.

Base64 string

Running this command decodes the string:

echo "STRING-HERE" | base64 -d
Enter fullscreen mode Exit fullscreen mode

After decoding, it still looked weird and unreadable. It looks like a Caesar cipher or Vigenère.

Vigenère cipher

Best tool for cipher identification is Cipher Identifier. It identifies the most probable cipher and even suggests decoding tools. After running it, the text is identified as Vigenère. Running it through the decode tool gives something almost readable, but words are stuck together due to no spaces. Go to CyberChef, select Vigenère decode, provide the identified key and paste the ciphered text.

Decoded text looks like:

Decoded string

There is a weird string. Maybe it's a password, but for who?

Going to the website hosted on port 80 reveals a pseudo diary. Reading it reveals a son named Weston. The note on FTP was written by Weston for his dad with an "In case I forget" message, so the weird string may be Weston's own password.

Trying to log in as Weston via SSH using this string as a password works.

Shell as Cage

At the beginning, pspy64 was transferred onto the machine and ran in a second terminal logged on the same machine. Then:

sudo -l
Enter fullscreen mode Exit fullscreen mode

It shows that weston can run /usr/bin/bees as root.

Bees file

After checking the file, it turned out it couldn't be edited and the script didn't ask for any input. It simply called wall with some hardcoded text. This script was a rabbit hole.

INFO: wall stands for "write all", basically prints a message to every logged-in user with an open terminal.

While checking pspy64 output, a cronjob running as UID=1000 (Cage) was spotted, executing every 3 minutes.

cron command in pspy64

After investigating /opt/.dads_scripts/spread_the_quotes.py, it turned out the script was concatenating a random quote with wall. It looked like this:

#!/usr/bin/env python

#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random

lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)
Enter fullscreen mode Exit fullscreen mode

The script was picking a random quote from /opt/.dads_scripts/.files/.quotes and concatenating it directly with the wall command. That file with quotes was writable. Since os.system("wall " + quote) passes the string straight to the shell, the file was overwritten with a payload that copies /bin/bash to /tmp/bash and sets the SUID bit on it:

echo "&& cp /bin/bash /tmp/bash && chmod +s /tmp/bash" > .quotes
Enter fullscreen mode Exit fullscreen mode

After the cronjob fired again:

cron exploit command in pspy64

A Cage-privileged shell was obtained by running:

/tmp/bash -p
Enter fullscreen mode Exit fullscreen mode

However, this gives a process running with Cage's privileges via SUID, not a full interactive shell. To get a proper shell, instead of generating a new SSH key, an existing private key was found at /home/cage/.ssh/id_rsa. Copying it and using it to connect over SSH gave a full, stable shell as Cage.

Flag located at: /home/cage/Super_Duper_Checklist

Shell as root, Vigenère in email (intended path)

Inside /home/cage/email_backup/email_3 there was a suspicious encoded string.

email string

First tried Caesar. No shift made sense. Tried Vigenère and it cracked with key FACE. The decoded string turned out to be the root password. Logged in with:

su root
Enter fullscreen mode Exit fullscreen mode

Flag located at: /root/email_backup/email_2

Shell as root, LXD (alternative path)

Running id after logging in as Cage:

id command

User cage is part of the lxd group, which gives full control over the lxd tool. This allows creating a container where you are root and mounting the host filesystem inside it (same concept as docker group abuse).

Transfer an Alpine Linux image to the machine (Alpine builder), then run:

lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias alpine
lxd init
lxc init alpine [NAME-HERE]
Enter fullscreen mode Exit fullscreen mode

The lxc exploit is a bit tedious to do manually. Use this script, transfer it to the machine and run:

./lxd_rootv1.sh [NAME-HERE]
Enter fullscreen mode Exit fullscreen mode

If everything worked, running:

sudo su
Enter fullscreen mode Exit fullscreen mode

should drop into a root shell without asking for a password.

Top comments (0)