Posts Agent Sudo - TryHackMe
Post
Cancel

Agent Sudo - TryHackMe

Posted Dec 5, 2020 2020-12-05T00:00:00+05:30 by krishna

Agent Sudo from TryHackMe

Task 1 - Author note

nice

Task 2 - Enumerate

starting with a nmap scan, we get

the good ol’ nmap scan

  1. How many open ports?

    3 - 21, 22 and 80

So, we first try the webserver because anonymous login on ftp is not allowed and we don’t know any ssh creds

  1. How you redirect yourself to a secret page?

    by changing the User-Agent as the homepage says. the hints suggest changing it to C.

    so upon intercepting the request in burpsuite and changing the headers like this,

    customizing request headers in burpsuite repeater

    we get,

    response headers in burpsuite

  2. What is the agent name?

    Chris as evident

Task 3 - Hash cracking and brute-force

  1. FTP password

    on bruteforcing ftp with hydra, we get

    bruteforcing with hydra

    on ftp-ing, we see the following files

    files from ftp

    To_agentJ.txt,

    Dear agent J,

    All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn’t be a problem for you.

    From,

    Agent C

    so, from these instructions, we try binwalk to examine the contents of these images

    binwalk-ing

    so, cutie.png contains a zip file inside it, but it is password-protected

  2. Zip file password

    we could use zip2john and john to crack it easily

    john the ripper

    to give hint, the zip file’s password will be like a****

  3. steg password

    To_agentR.txt

    but this is not the passphrase for the stegofile

    so, this must be encrypted, we can use CyberChef’s magic recipe to try and decrypt it

    cyberchef’s magic

  4. Who is the other agent (in full name)?

    we can use steghide to extract the hidden message

    1
2
3

     $ steghide --extract -sf cute-alien.jpg
 Enter passphrase: 
 wrote extracted data to "message.txt".

  5. SSH password

    not so secret anymore

Task 4 - Capture the user flag

  1. What is the user flag?

    user flag

  2. What is the incident of the photo called?

    after scp-ing the Alien_autopsy.jpg file, and googling about it

    x-files’ theme plays

    so, the answer seems to be Roswell Alien Autopsy

Task 5 - Privilege escalation

first thing to do, would be to run sudo -l and sudo -V

privesc 101

  1. CVE number for the escalation (Format: CVE-xxxx-xxxx)

    a google search of the superuser privs of J gives us the reqd exploit-db link

    so, the number will be CVE-2019-14287

  2. What is the root flag?

    aha!

  3. (Bonus) Who is Agent R?

    DesKel

v cool, thank you creator of Agent Sudo room

writeups, tryhackme
ctf privesc steg linux osint
This post is licensed under CC BY 4.0 by the author.
Contents

Crack the Hash - TryHackMe

RCE.PY by Ben (CMNatic)