Try-hack-me

Agent Sudo : Walkthrough

Agent Sudo is an Easy room on Tryhackme created by Deskel. This machine requires enumeration, hash cracking, steganography, and Privilege Escalation.

Alright the room has a total of 5 tasks, or 4 if you just want to count the actual tasks. Task 1 has a note from the room author DesKel to have fun!

Deploy the machine, wait a few minutes for it to boot and we will dive right in.

Enumerate


Everyone has got to be familiar with the first step after getting a machine IP by now, I hope?

We do some port scanning and recon using our favorite tool Nmap

#nmap -sS -sV -A -T4 -vv <target ip>


Looks like we have some open ports running on the machine. A web server is running on port 80. Let's open it and investigate further.


We get a html page that tells us that agents should use their own codename as user-agent to access the site.
We see an announcement for the Agents from Agent R. The tryhackme hint was to change the “User-agent” with “C”. So we started Burpsuite to intercept the request.


After capturing the request we modified the “User-agent” with “C” and forward the request.

After we got a success message on Burpsuite so we checked the webpage.



We got an Agent Name and from the message, we know that the password of the Agent is weak so now we can Bruteforce FTP with Hydra.
#hydra -l chris -P /usr/share/wordlists/rockyou.txt <target IP> ftp


Now we know the password for the Agent we can log in through FTP.
#ftp <target IP>


We have successfully logged in through FTP and we checked for the content and we got images and a text file, we downloaded all the files using “get command”.
#ls
#mget *


By viewing the “To_agentJ.txt” file the message was login password for the chris is stored in the fake picture.


The questions at this point consist of a zip file, which we do not have. We also need a steg password. Could it be that a zip file is hidden in one of the files we downloaded? We run binwalk on the png file which is the most likely to contain some hidden files.
#binwalk cutie.png -e


So we used “zip2john” to crack the zip file for password with this command

    #zip2john 8702.zip > Output.txt
and then we used john to crack the hash.
#sudo john Output.txt


And we got the password alien, so we tried to extract the zip file but unzip command didn’t work so we used this command:
#7z x 8702.zip


After entering the password and extracting the zip file we got this message.
#cat To_agentR.txt


This message was from Agent R we decoded this ‘QXJlYTUx’ message using Cyberchef. Cyberchef suggests auto decoding.


We got the password Now only images file left is “cute-alien.jpg” so we used the “steghide” tool to retrieve hidden info.
#steghide --extract -sf cute-alien .jpg 


The info got extracted to “message.txt” after viewing the message we got username and password.
Now we log in through SSH into the machine using the username and password we found now we can read the user flag
#ssh james@<target IP>



Privilege Esclation

We checked for the permission the user has with “#sudo -l” command.
#sudo -V(To check the version)
check the exploit on exploit DB where we can find the CVE number as well.






Using the exploit we found, we can indeed spawn a root shell and get our root flag in /root directory.

That's the end of this writeup, I hope you learnt something from this and had some fun too😀.


Thank you very much for reading. I hope you find this blog useful.

!!!!Happy Hacking!!!!

Comments

Post a Comment

Popular posts from this blog

Try Hack Me - Simple CTF

Image
  Try Hack Me    Simple CTF Walkthrough Simple CTF  Challenge on TryHackMe Platform is a beginner level CTF, if you want to learn about CTF's, this room is perfect for you! So let’s get going! Initially, let's deploy our machine get connected to THM VPN and then, we are ready to begin. We need to run a Nmap scan against the machine so that we know which ports are open and which services are operational on these ports. I am going to use an aggressive Nmap scan.   #nmap -A -sC -Pn <Target IP> Analyzing the above Nmap scan we now know the number of ports and their associated services that are running on the host. So we have 2 services running under port 1000 and ssh service running on the higher port. Also, as highlighted above, w e see that we have got an anonymous ftp login, let’s try to log in and see if we can find anything. From ftp access as shown above, we are able to gather some information as ForMitch.txt. We will further extract the file and let's see what outp
Read more
Image
  Try-hack-me PICKLE-RICK : Walkthrough Today I completed an other room on tryhackme with a Rick and Morty theme to it! Let's go and complete the room Pickle Rick from try Hack Me! Scanning & Enumeration A good rule of thumb is to start by scanning your machine for any open ports.  #nmap -T4 -sC -sV -A -p- <target IP> Enumerating Services Port 22- ssh Here we are able to see that our SSH port is open. This port isn't too vulnerable unless we have found some credentials. So we will not mess with it. Port 80- http It's here where we find a webservice. Lets see if there is anything interesting. This webpage comes up on port 80. There’s no useful data in here. But what if we check the page source? Checking out the source code of a page can reveal all sorts of things.  Great it looks like we have found a user name!!!  Most websites will have a robots.txt file that will tell a browser what is and isn't allowed to index. So lets see if there is one for this site. Su
Read more
Image
  Try-hack-me Lian_Yu : Walkthrough This post is a walkthrough of an Arrowverse themed beginner CTF box on Tryhackme. Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address. #nmap -A -sC -sV <target IP> Port 80 is open and running so let’s look at the webpage first.. The First step is to check the page source and robots.txt but no information found there, so let’s move to enumeration. #gobuster dir -u http://<target IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Looks like we have found a directory /island let’s look at it. The webpage looks like this at first instance but when I saw the source code I realized the the code word is also given in as vigilante but is in the white text. So here we got our code word.  I then ran gobuster again with the addition of the new directory I had found directory inside island di
Read more