tryhackme: agent sudo [writeup]

Hey! đź‘‹

Here’s my writeup for Agent Sudo, an easy room on TryHackMe.

Enjoy!

Enumeration

Enumerate the machine and get all the important information.

Let’s start off by running a simple nmap scan:

nmap -p- -A -T4 10.10.1.238

  • -p- | Port scan all ports
  • -A | enable OS and version detection, script scanning, and traceroute
  • -T4 | faster execution

We can see 3 open Ports:

21 FTP | 22 SSH | 80 HTTP

Let’s take a look at the website first:

Not much to see here, but there’s a very important detail. Every agent should use their own codename as user-agent when visiting the site. We also see that the agents use a single letter as their codename.

Open Burp Suite and start intercepting:

Now, change the User-Agent to R, so we can visit the website as Agent R.

Forward the Request and let’s see what we got:

Dammit! No access to anything here — but now we know that there are 25 agents. Since we assume they all got a single char for their codenames, we can try some out. Send the Request to the Repeater and start.

I began with the letter A and went up the alphabet until the letter C:

We can see that the Location has changed. Let’s inspect the website again using C as the User-Agent:

Finally! Looks like we got some juicy details that an attacker shouldn’t have. We can see that chris is using a weak password and we get the information that an Agent J exists.

I also tried to visit the site as Agent J, but nothing to see there.

Running gobuster with every Agent doesn’t provide any results.

Don’t forget to answer your questions on TryHackMe:

Hash cracking and brute-force

Done enumerating the machine? Time to brute your way out.

Remember that chris is using a weak password?

Let’s try to crack it using hydra. We’re attacking FTP on Port 21 with the rockyou.txt wordlist.

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.1.238 -I

Hit! Hydra found a valid password for chris.

Now, log into FTP:

Great. Take a look at the files on the system:

We can see 3 files, download them for further inspection. Let’s open the txt file first:

We can see that Agent J’s login password is somehow stored in the pictures. That means, that we have to do some Steganography.

Looking at the pictures doesn’t reveal anything, but maybe they contain some useful metadata? Let’s inspect them using ExifTool:

Nope, nothing to get here.

Since its probably a file hidden in the picture, we can try to use Binwalk:

Binwalk reveals, that cutie.png indeed contains a zip archive. The cool thing is, that Binwalk also extracts it. You should see a “_cutie.png.extracted” in your directory.

Navigate into it and look at the files that were extracted:

To extract the new zip archive, we need a password. We will use John the Ripper to crack it.

First of all, we need to generate a hash to crack with zip2john:

sudo zip2john 8702.zip > zip.hash

The hash got saved to zip.hash.

Now we can start to bruteforce for it. We will use rockyou.txt again for our wordlist.

john — format=zip — wordlist=/usr/share/wordlists/rockyou.txt zip.hash

Password found! Extract the password protected zip archive with our newly found password.

Looking at it’s contents, we see a txt file. Let’s read it:

We get some encoded name as recipient. Let’s decode it using Base64:

Now it looks more like an actual reciepant. Nice.

There are also some “real” alien pictures included in the archive. Knowing a potential new password, we can use Steghide to get extract more information from them:

steghide extract -sf cute-alien.jpg

And there was another message hidden in the image. Let’s read it:

Nice! We got Agent J’s name & password.

Let’s use these credentials to log into SSH on Port 22:

We’re in!

Now we got everything to answer the questions for this section:

Capture the user flag

You know the drill.

Running ls will give us the user flag & another image.

cat user_flag.txt

Let’s download the image:

scp james@10.10.1.238:Alien_autospy.jpg ~/Desktop

And open it:

Alien_autospy.jpg

We’re asked to name the incident of this photo.

The easiest way to do this, is by running it through google reverse image search.

Doing this gives us multiple articles about this photo.

Privilege escalation

Enough with the extraordinary stuff? Time to get real.

The last goal is to get root.

I start off by checking which commands i can run as root while being a normal user.

sudo -l

We can see that we can run /bin/bash as root. From experience we can say that this is bad. Let’s try to find out how we can abuse this misconfiguration. A quick google search brought CVE-2019–14287 up.

According to the description, we can get root by running following command:

sudo -u#-1 /bin/bash

Let’s try it:

It worked! We’re now root and we can grab the root flag.

Conclusion

We completed the room :)

This was a nice & easy room, that combined the basics of Enumeration, Cracking & Steganography.

Feel free to leave feedback & to checkout my other writeups, you can find them here.

Cheers!