sixth👨🏾‍💻sensei:~#

Security is art!

View on GitHub

AgentSudo

AgentSudo

Difficulty: Easy

Nmap Scan

Running nmap scan on the machine, we have

┌──(sixth-sensei㉿kali)-[~/THM/AgentSudo]
└─$ #sudo nmap -sS -sV 10.10.155.31
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-07 15:29 WAT
Nmap scan report for 10.10.155.31
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.56 seconds

we have 3 open ports ftp, http and ssh. let’s dive in!

Enumeration

Port 80

Navigating to the http service, we’re greeted with this page

staticsite

From webpage, we need a codename to access the site and there’s a hint user-agent which is a http header. Firing up burpsuite, let’s try R as agent; we have this

agentR

agentR_error

From the response gotten, it is evident the other 25 employees are alphabets; we have to keep switching the agents till we have the right one but doing this one by one is streesful right? That’s where burp intruder comes in, setting alphabets A to Z as payload and attacking; we have

intruder_start

intruder

Only C returns a 302 redirect code, setting it as user-agent; we got redirected to agent_C_attention.php and agent name is chris

agentC

Port 21

From the page, agent R pointed out agent C’s weak password needing change; trying hydra to bruteforce the ftp service

agentC_ftp

yaay! we have the ftp password. Let’s access the service

ftp_login

Listing the directory content, we see the message to agent J that agent R mentioned earlier; let’s download all the files in the directory using mget *

mget

reading the message to agent J

agenJ_message

we got hint that agent J’s password is embedded in one of the fake alien pictures in C’s directory. Running stegseek on the two pictures cutie.png and cutie-alien.jpg

stegseek

voila, we found the image with embedded file to be cutie-alien.jpg and extracted it’s content. let’s look into that

agentJ

we can see agent J’s name is james and his password as hackerrules!, let’s access his account

agentJ_ftp

Looks like agent J’s credentials isn’t for ftp but for ssh since it’s the only service left.

From the questions, there should be a zip file; checking cutie.png again since we got nothing from it earlier but this time with exiftool

exiftool

There’s a warning Trailer data after PNG which means it has something in it, running strings on it

strings_start

strings_end

Nice, we see a To_agentR.txt file embedded. we can also do this using xxd to dump the file in hex format. But we still can’t find the zip file, there’s one last tool we can use, binwalk

a little explanation

let’s try it out

binwalk

Yes!! there is our zip file, let’s extract it using binwalk -e cutie.png

zipfile

Was unable to read the message to agent R because the zip file is passworded. Don’t panic, we can use zip2john to make it a john compatible hash and crack it using the johntheripper

zip2john

john

Nice! we have the zip file password as alien, let’s see the content of the message to agent R

agenR_message

we see an encoded message QXJlYTUx, using dcode.fr found it to be a ROT cipher and cracking it with cyber chef; i got ")y=*%&I. Don’t know if we’ll need it later but let’s keep it.

cyberchef

Port 22

Logging in via ssh, we got access to agent J’s account

ssh_james

Listing the directory contents, we see our user flag

dir_james

userflag

We can see another image file Alien_autospy.jpg in this directory, must be the real alien picture agent C was referring to in his message to agent J. Let’s download it on our machine by serving the directory with http.server

alien_image

Opening the image

alien

There’s nothing we can get visually and from the question we need to know the incident that happened, performing reverse image search according to the hint; we have

reverse_image

clicking on one of the link in the results and we have the incident name as Roswell alien autopsy

alien_incident

Privilege Escalation

Now let’s get root, running sudo -l to see the sudo privileges agent J has

sudo_james

Interesting 🤠!! agent J has (ALL, !root) /bin/bash privilege, looking this up; we got an exploit with CVE entry CVE-2019-1487 on exploitdb

exploitdb

checking through the exploit code, we can run sudo -u#-1 /bin/bash to get root

root

boom!! we got root; listing the directory, we have the root flag and agent R’s name

rootflag

This was fun, i hope you enjoyed every bit of it too 🦾

Questions

  1. How many open ports? - 2
  2. How you redirect yourself to a secret page? - user-agent
  3. What is the agent name? - chris
  4. FTP password - crystal
  5. Zip file password - alien
  6. steg password - Area51
  7. Who is the other agent (in full name)? - james
  8. SSH password - hackerrules!
  9. What is the user flag? - b03d975e8c92a7c04146cfa7a5a313c7
  10. What is the incident of the photo called? - Roswell alien autopsy
  11. CVE number for the escalation - CVE-2019-14287
  12. What is the root flag? - b53a02f55b57d4439e3341834d70c062
  13. Who is Agent R? - DesKel


See you again 👋🏽