TryHackMe - Agent Sudo Writeup
Link : https://tryhackme.com/room/agentsudoctf
Enumeration
First, let’s do an enumeration with the IP address of this machine. I’m gonna run Nmap [Netwok Mapper] to scan any open ports. I’m gonna run this command
|
|
Explaining the nmap scan:
- -sC := scan using nmap default script
- -sV := scan for version
- -oN := output in normal format
|
|
The scan result shows us. There are 3 open ports. Let’s start enumerating them.
- 21 / ftp
- 22 / ssh
- 80 / http
Looks like this machine has a webpage on port 80 running on apache. Let’s take a look
Hmmmmm… It’s says something about user-agent
and I’m not find anything in the source code. Codename?
it sounds fun yet confusing. So, like any mad man will do. I’ll try to change the user-agent into anything from windows to android
but nothing really weird happens. Turn’s out, the hint
sitting in front of me the entire time… ARRRRGGGG!!!
So, this message is from agent R
if you look closer. Not the monitor tho. DAA!!. The agent is using the codename with the uppercase letter. I’m gonna assume this agent also use uppercase letter but which one? The alphabets contain 26 letters NOTE: English alphabets have 26 letters, OK! are you happy now! jk :)
Python Script
python script for brute-forcing user-agent. I’m gonna brute-force with uppercase letters.
|
|
Finally, we got hit for letter C. Let’s gooo baby! yes. I’m excited
|
|
Let’s edit our user-agent into “C”. I’m gonna use the dev-tools
built-in function in the browser to access it press f12
and go to network
click reload. NOTE: I’m using firefox in this case
Then, click the one on the list. Right-click
and Edit and Resend
, make sure to edit the user-agent into “C”
. After, all done click Send
After, you click send. We’ve found something new in there. Something like this
Let’s navigate to that page. It looks like we’ve got a new message and a new user.
It’s says something about a weak password. So, I’m gonna assume we can brute-force ssh with that username or brute-force FTP with that username. First, let’s try with FTP.
Now, let’s try brute-force it using hydra.
|
|
YES! we found the password. Now, let’s try to login in. SUCCESS. So, let’s download all the files in that into our machine using the mget command
We have all the files in here. Let’s take a look one by one. First, let’s start with the text file
That’s so interesting message and it sounds like steganography to me. Now, I’m gonna crack one of the image file using stegseek. NOTE: stegseek only works on the jpg file.
wow! these tools so amazing it is super fast. Anyways, we found the password. Also, we got a file. Let’s cat the content of it.
That’s true. So, cheesy but look at the bright side. We’ve just got a password and a new user. So, I’m gonna assume this is for ssh but before we try it.
I’m curious about the png file. The question wants a zip file password but still, we don’t have or found any zip file yet. So, I’m gonna extract files
from png image using cyberchef
. Wow, it unbelievable we found the zip file in it let’s download it.
This is personal to me. The first thing, I’m gonna do is change the file name. It is too longggggg. :)
Unfortunately, we can’t extract the file because it’s password protected.
Anyways, let’s crack this zip file using john the ripper [JtR]. First, we need to convert the file to make sure [JtR] would understand it. I’m gonna use zip2john
and then I’m using John-The-Ripper
to crack it. Here the image of it.
Let’s read the file content.
We’ve found something encrypted. It looks like base64 and we got it. It is base64 but is this something useful?. We still don’t know yet but let’s go to the main event ssh.
Foothold/Gaining Access
Let’s ssh with that creds and see what’s happening next. WOW! I’m in.
YES!, we found the user flag.
Also, we found another image file let’s try to download it into our machine. Using scp command
Privilege Escalation
Now, we’ve got the file on our machine. Anyways, Let’s enumerate this machine more. First, I’m gonna use the sudo -l
command to see anything that super interesting.
Wow! I’ve found the interesting thing.
I have seen this before but I forgot what the cve of this sudo. I’ll try google it and found it. CVE-2019–14287 . Let’s become root. MUAHAHAHAHAH
We’ve found the final flag and we’ve become root.
Conclusion
I’ve learned a lot today. First, do not make your password too short or too simple and the important thing make sure don’t put any sensitive data on public and non-secure platforms. Always, update your system. We can see in this room we become root using the CVE. Please update your system.
This room so much fun and I hope you guys have fun and learn something new today.