Tryhackme: AgentSudo
walkthrough
Intro
Hola folks, This time let’s root AgentSudo from Tryhackme rated as Easy machine.
Initials
export IP=10.10.220.97
Port scanning
rustscan -a $IP --ulimit 5000 | tee rust.txt
Found 3 open ports 21, 22, 80
nmap
let’s dig deep into those ports
nmap -sC -sV -p21,22,80 oN nmap $IP -Pn
Further Recon
Tried FTP anonymous login → no luck (not allowed)
Port 80: http
found this text on the port 80, Tried changing the user-agent header → no luck
But later the same method worked when I changed the browser and found this
With this we know that the user’s password is weak, let’s brute force it
Port 21: FTP
got the password
found three files on ftp server
Two of them were images, which I thought as Rabbit hole (same as last one) XD
and the another file contains a note
And with this note, I got to know that the images are not rabbit hole :D
After digging deep, I found one zip file inside one Image
The file is found to be encrypted. First convert the file to john readable
/usr/sbin/zip2john <image_name> > forjhon
Now crack it using john
After cracking, the zip file contains another note
That weird word is fishy, checked it on cyberchef.io and found it is base64 encoded XD
I checked for another image and uses this as password and it worked!! :o
Again that file contains another note, (I was like how many notes are left XD)
And we got the ssh password on this note, yayee
User
Login to ssh and we got the user flag
Root
First thing to do when you the user’s password is
sudo -l
This tells us that the user james can run any command as root except /bin/bash
Actually there’s a CVE (CVE-2019–14287) on this named “Sudo Security Bypass” and the fun part is I learned about this CVE/bug the same week XD
learn more about this CVE here
To exploit this, simple run the command
sudo -u#-1 /bin/bash
And we are root