Nicholas Cage CTF Writeup
In this writeup, I will be explaining my approach to solving the “Break Out The Cage” Capture The Flag (CTF) room available on the TryHackMe platform for free to members. I’ve been having a lot of fun on the TryHackMe platform recently, which is an excellent place to learn new skills and have fun playing CTF’s. I have provided a link to the TryHackMe platform in the references below.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article. Obviously there will be spoilers in this writeup and I believe you will enjoy the CTF more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint!
Background
Nicholas Cage is the theme of this CTF room. Unfortunately, Nichloas Cage’s acting career has been struggling lately and it is suspected that his casting agent is the cause of it. It is up to us to find out what nefarious actions his agent has been getting up to and save Nicholas Cage’s acting career!
To complete this CTF, I am required to exploit a server in order to find a password for a user named “Weston” and two flags (user & root). For this writeup, I will be using Kali Linux, some tools that come pre-installed with Kali and a tool called “Audacity”. I will begin this writeup after connecting to the target machine. With the background for the CTF out of the way, it’s time to move on to the writeup.
Enumeration
I started by scanning the target server using NMAP to identify any open ports and the services running on those ports.
The NMAP command can be broken down as follows:
- -Pn: Disables host discovery.
- -sV: Performs version detection for the services.
- -sC: Performs a script scan using default scripts available in NMAP.
- -v: Provides verbose details about the NMAP scan.
- -oN: Outputs scan results to a file.
The scan discovered three open ports with services running on them, which include port 21 (FTP), port 22 (SSH) and port 80 (HTTP).
Looking at the scan results, I saw that the FTP server had anonymous login enabled and a file called “dad_tasks” stored on it. I logged in as the anonymous user and retrieved this file using the “get” command for further inspection on my host device.
Looking at the contents of the “dad_tasks” file, a string of base64 encoded text is recovered.
Using an online tool called CyberChef, I can decode this text.
Looking at the decoded text, it appears to have been encrypted. I tried decoding the text using ROT13, substitution cipher (quipquip), and other tools but I failed to decrypt the text using these methods. I decided to continue my enumeration by looking at the web site hosted on port 80.
The web page didn’t appear to have any useful information on it. I decided to enumerate the website using GoBuster, a tool which can be used to find any hidden directories. This tool uses a word list of common directory names and attempts to load these directories.
GoBuster identified a number of different directories, as seen in the figure below.
Audio Steganography
Looking through the contents of the different directories discovered by GoBuster, I found a file called “must_practice_corrupt_file.mp3” in the “/auditions” directory. After retrieving and playing the audio file, I noticed that the sound quality changed briefly while it was being played. I decided to use a tool called “Audacity” to take a closer look at the MP3 file. Opening the file in Audacity, I am presented with the following view.
I notice a large block (outlined in red above) around the time I hear a change in the sound quality of the MP3 file. After some searching online, I found an article that outlined some techniques on how to analyse audio files for hidden text (see references). From reading this article, I learned that I could analyse the spectrum of frequencies for any hidden text. Using Audacity, I changed my view to Spetrogram which lets me view the different frequencies.
I noticed what appeared to be text in the block mentioned earlier and upon closer inspection I was able to see what the string of text was. After spending sometime trying to figure out what this string could be used for, I tried using it as a key for the Vigenere cipher to decrypt the text discovered earlier from the “dad_tasks” file. I had thought of this encryption algorithm earlier but did not have a key at the time. This worked and I was able to successfully decrypt the decoded text.
This gives me the password for the user named “Weston” which is one of the three requirements to complete this CTF 😄!
Privilege Escalation
Using the password found earlier, I can now SSH into the server as the user “Weston”.
While logged in, I noticed that different quotes kept being broadcasted on the machine. I decided to see what commands I could run as sudo but I found that I could only run one command called “bees”, which did not do anything and appeared to be a dead end.
I decided to upload a script called “linpeas.sh” to the “/tmp” directory on the target machine (see references) using the “scp” command to help enumerate possible local privilege escalation paths that I could exploit. Once executed, this script will generate output which I redirected to a text file. I then pulled this text file down from the target machine and examined it’s findings. I noticed an interesting hidden directory located in the “/opt” directory called “.dad_scripts”.
Looking through this hidden directory, I found a python script called “spread_the_quotes.py”.
This script reads a random line from a hidden file called “.quotes” and then broadcasts the quote to logged in users with the “wall” command. I know that the “Weston” user is part of the “cage” group by using the “id” command.
Looking at the file permissions of the “spread_the_quotes.py” python script, I can see that the file belongs to the “cage” user and group. Despite the “Weston” user being a part of the “cage” group, we only have read permissions for this file. This means I cannot alter the file in anyway.
Looking at the “.quotes” file however, I can see that we have write permissions for this file.
This enables me to overwrite the file with a reverse shell script (see references) that will be executed when the python script attempts to broadcast a message to the logged in users. I used the echo command as seen below to overwrite the “.quotes” file with a message saying “hacked” and a reverse shell.
After waiting for a few minutes, I can see the message “hacked” being broadcasted.
This indicates that my shell has been created and by listening on port 4444 on my host machine, I can establish a connection to my reverse shell.
Using the “whoami” command, I can see that I am logged in as the user “cage”. Listing the contents of this user’s directory shows a directory called “email_backup” and a file called “Super_Duper_Checklist”.
Looking at the contents of the “Super_Duper_Checklist” file reveals the user flag 😄!
Root Privilege Escalation
Looking at the “email_backup” directory, three emails were found. Reading through these emails, “email_2” and “email_3” contain important information. I learned from reading “email_2”, that Nicholas Cage’s agent’s name is Sean and that he is the root user.
Reading “email_3”, I find what appears to be a string of ciphertext that needs to be decrypted.
Based on what I had seen previously and trying common encryption methods (e.g. ROT13, etc.) which failed to work, I assumed that this text was encrypted with the Vigenere cipher as seen earlier. After spending sometime reading the emails looking for a potential key, I noticed that in “email_3” the word “face” was being constantly repeated.
Using the word “face” as a key, I was able to retrieve a cleartext string that I can then use to login as or change to the root user.
Looking through the root directory I find two more emails called “email_1” and “email_2”. Looking through “email_2”, I found the root flag 😃!
With the “Weston” user’s password, the user flag and root flag recovered, the CTF is now complete. We can also inform Nicholas Cage of his agents nefarious actions and save his acting career, job done 😄!
Closing Remarks
This was another fun CTF that is available on the TryHackMe platform. The TryHackMe platform releases new rooms regularly, where you can practice your CTF skills or pickup new skills with rooms designed to teach you different cyber security related topics. Thank you for reading to the end and till next time 🍻!
