THM: Agent Sudo

Agent Sudo, so cute. Let’s Deploy and hack!

After deployed, I again set an enviroment TARGET for target box so it saves some memory of my mind.

$ export TARGET=10.10.10.177

Author note

#Deploy the machine

answer: No answer needed

Enumerate

#How many open ports?

answer: 3

As usual, nmap to kick off the show:

$ nmap -sV -sC $TARGET

Found FTP, SSH and HTTP

#How you redirect yourself to a secret page?

answer: user-agent

Visit the site on the target IP land us on:

http://10.10.10.177

Dear agents,

Use your own codename as user-agent to access the site.

From,
Agent R

Up untill now I still have no idea what is my agent code name. Looking at the hint format xxxx-xxxxx, then I tried my luck. Bingo! Now I know I need to set the User-Agent header to some custom value in order I can get redirected.

#What is the agent name?

answer: Chris

I have tried using ffuf to look for 301,302 by fuzzing the header (-H), but no luck.

$ ffuf -c -t 64 -w $W_USER_AGENT -u http://$TARGET -H "User-agent: FUZZ" -mc 301,302

$W_USER_AGENT = user-agent-whatismybrowserdotcom-large.txt

Depleted 19990 user-agent but still not found

Took a lot at the hint, gave us by using “user agent: C”: (typed in myself after select any of the choices)

and I got:

Attention chris,

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!

From,
Agent R

Hash cracking and brute-force

#FTP password

answer: [NO SPOILER]

By looking at the message by Agent R, chris has a weak password. Let’s try to brute force it by hydra:

$ hydra -f -I -vV -t 64 -l chris -P $W_PASSWORD $TARGET ftp

$W_PASSWORD = rockyou.txt

Since we have the ftp credentials, let’s login and check it out!

$ ftp $TARGET

Found some text and images

Then we found: To_agentJ.txt, cute-alien.jpg and cutie-png. Download them all shall we?

$ ftp> get To_agentJ.txt

$ ftp> get cute-alien.jpg

$ ftp> get cue.png

Download all three files

Let’s look at the text file:

Ok, looks like the images are fake. Password should be hidden in the images!

By using binwalk I can check the composition of the images:

$ binwalk cute-alien.jpg

Looks like nothing in it

$ binwalk cutie.png

Found a zip in it!

Let’s extract (-e) it out:

$ binwalk -e cutie.png

Notice the 0-byte file!

After we extracted the data from the image, we got a new folder: _cutie.png.extracted and inside have zip file: 8702.zip. So, I unzip it with 7z:

$ 7z x 8702.zip

Ooops it needs a password to unzip!

#Zip file password

answer: [NO SPOILER]

I knew it would not be easy. Let crack the zip! But before that I found out the zipped file is — To_agentR.txt! Same name to the 0-byte file when we extracted from the image. So I deleted away the 0-byte file.

By using John the Ripper, we can crack it easily. Before that need to get the hash from the zip:

$ zip2john 8702.zip > zip.hashes

Got the hashes

Despite the error reporting. We still got out hash back. So now crack it with John and unzip one more time with password found:

$ john zip.hashes

$ 7z x 8702.zip

Got the original file now

Let’s examine the extracted file:

$ cat To_agentR.txt

Some more pasword?

#steg password

answer: [NO SPOILER]

Looks like there are more password to crack.

Agent C,

We need to send the picture to ‘XXXXXXXX’ as soon as possible!

By,
Agent R

I suspect the password is another hashed text. So I ran them through MultiEncoder.com for ROT-13, no luck then base64, got it!

#Who is the other agent (in full name)? — James

I have been spending some times here. By having the password from the base64, I dont know where to use it on. To be honest with you, I took a peep at MrSeth6797 writeup and realize what meant by “send the picture” in the above message. It means extract the info from the other image (cute-alien.jpg).

$ steghide extract -sf cute-alien.jpg

#SSH password

answer: [NO SPOILER]

Hi james,

Glad you find this message. Your login password is XXXXXXXXXXXX

Don’t ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

The password is within the same message.

Capture the user flag

#What is the user flag?

answer: [NO SPOILER]

By login in with the username and password from the previous step. We have a shell!

$ ssh james@TARGET

Lets examine the user_flag.txt~

#What is the incident of the photo called?

answer: Roswell alien autopsy

Inside the folder also have another image file, so I downloaded it via scp:

$ scp james@$TARGET:/home/james/Alien_autospy.jpg ./

Found out the incident from google by using “alien autopsy” then it leads me to the news.

Privilege escalation

#CVE number for the escalation

answer: CVE-2019-14287

I tried to see what my current permission is given by:

$ sudo -l

I am still just a beginner. So i tried to search for “BASH” related CVE in cve.mitre.org

I have tried the first dozen CVEs, no luck. So I gave up on this. Another peep into the writeup, and led me to this. With the CVE given to me. I tried to search in exploit-db and downloaded the python file.

With the py file in my hand i uploaded it to the TARGET /tmp/ folder.

$ scp ./47502.py james@TARGET:/tmp

Then back to the TARGET shell, I run the file and got the root:

$ python3 47502.py

We have got root!

#What is the root flag?

answer: [NO SPOILER]

So the remaining drill as usual:

To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.

Your flag is
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

By,
DesKel a.k.a Agent R

#(Bonus) Who is Agent R?

answer: Deskel