Agent Sudo
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
We have 3 open ports, which is the answer to the first question in this task
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a files called nmap
Task 2: Enumerate
Lets visit the website now and check what we are working with.
It tells us to change the user-agent
parameter to our own codename and access the site, so lets try doing that, but first we have to see how a request is being sent using curl. We can check by first using the command:
Command Breakdown:
(-A): Specifying the user-agent
(-L): Follows any redirections
It works, so lets try changing the user-agent to a different letter as one of the agents name is R
which is a single letter, so I'm thinking others would have a single litter codename too. So after trying a few codenames I found one that gives us different results. Which is codename C
.
We can see that agent C's actual name is Chris
. And now we can answer questions 2 and 3, We can redirect ourselves to the secret page by changing the user-agent parameter.
The name of the agent is Chris
Task 3: Hash cracking and brute-forcing
Now we found ourselves a username and we can try bruteforcing FTP that is running on port 21 with the help of hydra
.
Command Breakdown:
(-l): Specifying username
(-P): Specifying a file with passwords to crack the password.
(ftp): Specifying which protocol to attack.
And we found the password, which is also the password to the first question of this task.
Lets now login into FTP
Lets list what is there in the server.
There are three files, we cannot read or see them here, so lets transfer them to our machine using the command get
Out of the three , one is a text file, so lets read it.
So we have to get the password which is hidden in one of the pictures we downloaded to our machine. So lets use a tool called binwalk
which is used for finding hidden information in a file.
We can see that there is a hidden zip file within the file, so lets extract it with the flag (-e)
Looking in the directory we can see that there is a zip file that we cannot access as it is encrypted and needs a password. So we can try cracking the password using a module in johntheripper called zip2john
.
Now lets try cracking the hash with JohnTheRipper
We found the password which is alien
which is also the answer to the second question in this task.
Lets unzip the file using 7zip
And we get a new file called To_agentR.txt
, lets read it.
Lets copy that string a put it in CyberChef. After putting it into CyberChef it says that it means Area51
which looks like a password, so now lets try finding hidden files in the other image file we downloaded from FTP.
Lets read message.txt
So now we know that the password for Chris is hackerrules, lets try to ssh into the machine using these credentials. We also know the name of the other agent which is James. With this information we can answer the last three questions of this task.
Task 4: Capture The User Flag
Now lest login through ssh as James as we have his password.
And we can find the user flag in /home/james
directory and it is also the answer to the first question of the task. We also see another file called Alien_autospy.jpg
and the second question of the task is asking us what the incident of the photo is called. So for that we need to first transfer the file to our machine and we can use this command on our machine to do that.
The directory that I specified is the directory I want the file to be in
And now we have the file in our machine. Lets do a reverse google image search and see what incident this image is connected to. First we go to google images, and then we find the option to upload images after clicking the camera icon.
Now choose the file and then we get a result saying the Roswell Incident. The answer to the last question in this section is Roswell Alien Autopsy
Task 5: Privilege Escalation
The first command that we should run is sudo -l
as it will tell us what we can run as other users.
Looks like we can run (ALL, !root) /bin/bash
, so lets take this and put it on google. Once we do it gives us a CVE number (CVE-2019-14287) and after reading through this exploit, we can see that there is a command that escalates our privileges to root.
We are now root, you can find the root flag in the /root
directory. Also we can answer the first and second questions of this room
As for the third question we find that answer in root.txt
as well.
Last updated