Greetings everyone! I’m back with another machine walkthrough from the hacking platform TryHackMe! This machine is called Agent Sudo! So without any further ado, let’s jump into it!
We’ll start off with our trusty Nmap scan:
Alright, well right off the bat we can see that port 80 is open, and that means there is a website to check out! Great, let’s browse to it!
Hmm! Now there wasn’t much, actually nothing, returned from any type of enumeration or vulnerability scanning on this website! That being the case, I went back and re-read the message that was displayed. At the moment, we have no sweet clue what our “codename” is. But what we can do is use cURL to spoof our user-agent. Putting out detective hat on, we notice that the message is from an “Agent R”. Are all the codenames going to be related to a letter (similar to Men In Black!) ? Well, we’ll have to cURL every letter to see if we can get a return. For giggles though, I thought I’d start with “R” (the agent’s name!):
Welp, nothing like getting yelled at from a return message! At least we know that the command works, so let’s start from the letter A and go down the list!
Looks like we got a hit with the letter C!
Agent C (or Chris) seems to have a weak password! Time to start cracking! But what to crack? Looking back at our Nmap scan, we can see that there is an FTP server, so let’s start there! We’ll load up Hydra to crack it:
And just like that we get Chris’ password; crystal! Alright, time to login with them!
A few files here so we’ll quickly download them with the mget* command:
Now that the files are downloaded, let’s start by opening the text file:
So looks like there is a login password stored in the fake pictures, so I broke out steghide to see if I could find anything. There is a passphrase needed for the “cute-alien.jpg” image, but we don’t have anything yet to use (Chris’ password didn’t work). What about the PNG file? We get an error saying the file is not supported. So is something embedded in it? Let’s use binwalk to find out:
Ah ha! A zip file! Let’s extract it:
Bad news though, it looks like it’s encrypted:
No big deal, we’ll just need to decrypt it. John to the rescue!
And we’re returned (rather quickly) with a password: alien!
Great! Now we just be able to unzip the file! (FYI, I ran into an error when running the unzip command, so I used 7z)
Perfect, now let’s cat the new output!
A few minutes of Googling lead me to learn that the string ‘QXJlYTUx’ is Base64, so it will need to be decoded:
Ok, so now I think we have the password to use steghide with on the other picture!
Perfect, now let’s cat the message.txt file!
We now have a set of credentials! And looking back at our Nmap scan, there is port 22 open, meaning we can SSH in! Let’s try it with these creds:
Let’s grab the user flag!
Alright, now let’s look for a way to escalate our privileges!
A Google search for (ALL, !root) /bin/bash returns a vulnerability from Exploit-DB, where we can simply run the following:
sudo -u#-1 /bin/bash
Let’s try it!
Root flag achieved!
This was a very fun box that touched on a variety of subjects such as user-agents, password cracking, and even steganography! Another amazing box by the great people over at TryHackMe!
Thanks for reading!