Agent Sudo
This is my write-up for the machine on TryHackMe located at: https://tryhackme.com/room/agentsudoctf.
nmap scan: nmap -T4 -A 10.10.126.175
Port 80 was opened, so I checked it out:
I tried to use BurpSuite here to edit the User-Agent to be "Agent S", based off of my assumption that my codename was Agent S. This did not work. I then used gobuster alongside the directory-list-2.3-small.txt wordlist. I then was reading this write-up which led me to realize that I was not supposed to brute-force the website, but actually just change my user agent (I used User-Agent Switcher and Manager on Firefox):
We now know that user C is chris and his password is weak. I chose this time to answer the questions on THM:
For the next task, it seemed that I needed to brute-force the password for FTP. Knowing that the username was chris, I then used hydra to try to brute-force the password: hydra -l chris -P rockyou.txt ftp://10.10.126.175 -t 16
. I was able to get the password:
After logging into the ftp server with the credentials, we see the following:
I then used mget * to download all of the files:
It seems from the To_agentJ.txt file that we have to find the password in one of the images provided. Running strings on the cutie.png file, I saw this towards the end:
This led me to assume that this was the correct file to brute-force. I ran binwalk -e cutie.png
and this led me to a directory with the following:
There is a password for the zip file. I used fcrackzip in order to try to brute-force the password. I was trying for a bit to understand what was going on, but I was unable to crack the password. This is when I went back to the website where I read the write-up from previously and found out about zip2john. This program gets you a hash from a zip file which you can use with John The Ripper. I then ran the following to output the hash into a location that worked for me: zip2john ../../8702.zip > ../../../zip_hash
. I then ran john on the hash, and got the password in a couple seconds:
After entering the password for the zip by running 7z e 8702.zip
, I then was able to get the file hidden in it:
In order to crack the password for the other image, I used StegSeek:
This led me to this text file:
When I entered the password hackerrules! as the answer to the question SSH password, I got it correct. This means that this is the password for SSH. Logging in with those credentials, I was able to get into the system, and get the user flag:
There was another jpeg on the system as well. I used FileZilla in order to download the file to my local machine:
On THM there was a question asking What is the incident of the photo called?. In my research I came to the conclusion it had something to do with Roswell and Aliens. I had to go back to the write-up, in order to realize the answer was roswell alien autopsy. I am still at the user (james) level, and I need to escalate my privileges. I ran sudo -l
to see what sudo commands my user had:
Seems that he can run /bin/bash with sudo permission. I Googled "exploit db (ALL, !root) /bin/bash" and found the following page: https://web.archive.org/web/20210120002645/www.exploit-db.com/exploits/47502. This has an exploit in it for our system. I ran the exploit and got root:
I then also got the root flag:
Last updated