tryhackme: agent sudo [writeup]

Hey! 👋

Here’s my writeup for Agent Sudo, an easy room on TryHackMe.

Image for post
Image for post

Enjoy!

Enumeration

Enumerate the machine and get all the important information.

Let’s start off by running a simple nmap scan:

nmap -p- -A -T4 10.10.1.238

Image for post
Image for post
  • -p- | Port scan all ports
  • -A | enable OS and version detection, script scanning, and traceroute
  • -T4 | faster execution

We can see 3 open Ports:

21 FTP | 22 SSH | 80 HTTP

Let’s take a look at the website first:

Image for post
Image for post

Not much to see here, but there’s a very important detail. Every agent should use their own codename as user-agent when visiting the site. We also see that the agents use a single letter as their codename.

Open Burp Suite and start intercepting:

Image for post
Image for post

Now, change the User-Agent to R, so we can visit the website as Agent R.

Image for post
Image for post

Forward the Request and let’s see what we got:

Image for post
Image for post

Dammit! No access to anything here — but now we know that there are 25 agents. Since we assume they all got a single char for their codenames, we can try some out. Send the Request to the Repeater and start.

I began with the letter A and went up the alphabet until the letter C:

Image for post
Image for post

We can see that the Location has changed. Let’s inspect the website again using C as the User-Agent:

Image for post
Image for post

Finally! Looks like we got some juicy details that an attacker shouldn’t have. We can see that chris is using a weak password and we get the information that an Agent J exists.

Image for post
Image for post

I also tried to visit the site as Agent J, but nothing to see there.

Running gobuster with every Agent doesn’t provide any results.

Don’t forget to answer your questions on TryHackMe:

Image for post
Image for post

Hash cracking and brute-force

Done enumerating the machine? Time to brute your way out.

Remember that chris is using a weak password?

Let’s try to crack it using hydra. We’re attacking FTP on Port 21 with the rockyou.txt wordlist.

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.1.238 -I

Image for post
Image for post

Hit! Hydra found a valid password for chris.

Now, log into FTP:

Image for post
Image for post

Great. Take a look at the files on the system:

Image for post
Image for post

We can see 3 files, download them for further inspection. Let’s open the txt file first:

Image for post
Image for post

We can see that Agent J’s login password is somehow stored in the pictures. That means, that we have to do some Steganography.

Looking at the pictures doesn’t reveal anything, but maybe they contain some useful metadata? Let’s inspect them using ExifTool:

Image for post
Image for post

Nope, nothing to get here.

Since its probably a file hidden in the picture, we can try to use Binwalk:

Image for post
Image for post

Binwalk reveals, that cutie.png indeed contains a zip archive. The cool thing is, that Binwalk also extracts it. You should see a “_cutie.png.extracted” in your directory.

Navigate into it and look at the files that were extracted:

Image for post
Image for post

To extract the new zip archive, we need a password. We will use John the Ripper to crack it.

First of all, we need to generate a hash to crack with zip2john:

sudo zip2john 8702.zip > zip.hash

Image for post
Image for post

The hash got saved to zip.hash.

Now we can start to bruteforce for it. We will use rockyou.txt again for our wordlist.

john — format=zip — wordlist=/usr/share/wordlists/rockyou.txt zip.hash

Image for post
Image for post

Password found! Extract the password protected zip archive with our newly found password.

Looking at it’s contents, we see a txt file. Let’s read it:

Image for post
Image for post

We get some encoded name as recipient. Let’s decode it using Base64:

Image for post
Image for post

Now it looks more like an actual reciepant. Nice.

There are also some “real” alien pictures included in the archive. Knowing a potential new password, we can use Steghide to get extract more information from them:

steghide extract -sf cute-alien.jpg

Image for post
Image for post

And there was another message hidden in the image. Let’s read it:

Image for post
Image for post

Nice! We got Agent J’s name & password.

Let’s use these credentials to log into SSH on Port 22:

Image for post
Image for post

We’re in!

Now we got everything to answer the questions for this section:

Image for post
Image for post

Capture the user flag

You know the drill.

Running ls will give us the user flag & another image.

Image for post
Image for post
cat user_flag.txt

Let’s download the image:

scp james@10.10.1.238:Alien_autospy.jpg ~/Desktop

Image for post
Image for post

And open it:

Image for post
Image for post
Alien_autospy.jpg

We’re asked to name the incident of this photo.

Image for post
Image for post

The easiest way to do this, is by running it through google reverse image search.

Doing this gives us multiple articles about this photo.

Privilege escalation

Enough with the extraordinary stuff? Time to get real.

The last goal is to get root.

I start off by checking which commands i can run as root while being a normal user.

sudo -l

Image for post
Image for post

We can see that we can run /bin/bash as root. From experience we can say that this is bad. Let’s try to find out how we can abuse this misconfiguration. A quick google search brought CVE-2019–14287 up.

According to the description, we can get root by running following command:

sudo -u#-1 /bin/bash

Let’s try it:

Image for post
Image for post

It worked! We’re now root and we can grab the root flag.

Image for post
Image for post

Conclusion

We completed the room :)

This was a nice & easy room, that combined the basics of Enumeration, Cracking & Steganography.

Feel free to leave feedback & to checkout my other writeups, you can find them here.

Cheers!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store