Agent Sudo CTF Challenge

Posted byRajendraPosted inUncategorized

Dear Hacker friends! Today we are going to take a walk-through inside a TryHackMe room called “Agent Sudo”.The room is listed as an easy room, and covers a lot of different tools and aspects of security, which makes it a great room to complete for beginners.

First things first! Hope you deploy your machine and connect to the TryHackMe VPN.

So let’s begin,

#Enumeration

Let’s enumerate the machine and get all the important information using Nmap.

This machine has 3 OPEN ports.

Since port 80 is open, let us visit the web page. I looked at source code, didn’t find anything.

From the web page we’ve got a clue that we can access the hidden page by changing our User-Agent.

In order to change the agent code and see the response, let us start Burp suite. So i opened Burp Suite and intercept the request. If you look closely every Agent’s name is a single letter In the image above, I’ve already changed User-Agent to B, and tried to send it to the server. Nothing came back. So I set the intercept ON on Burp Suite and sent the request to Intruder. Changed the User-Agent section to a single letter, as the letter we get from the Agent R

There, we set our target , and specify what position we want to change, by enclosing the section in ‘§§’

We then head to the payload tab, and specify a wordlist – which in our case is just a list of each letter. Then we hit Start Attack:

On every request, we get Status 200, but on User-Agent: C we get Status 302 (Redirect):

As we can see, the response redirects us to “agent_C_attention.php”. Let us visit that web page! From there, we see the following message:

#Hash cracking and brute-force

Since we now have a username, and know that our user has a weak password, we can try and brute-force the login! Let us brute force the FTP password, and we will try using Hydra and rockyou.txt

After some time, hydra returns with an answer:
Username: chris
Password: crystal

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.94.89 ftp

Let us log into the FTP server and see what content does it have:

We see 3 files – let us download them to our machine, using the following commands:

We can use cat/nano command to see the content, we got this message.

Next two files are image files, The first thing comes in mind was running steghide and exiftools on them. However, this gave me nothing really. I tried running strings on them, and cutie.png seemed like it had some txt file hidden in it. I decided to use binwalk on it – a tool for finding embedded files and executable in images.

This showed, that some Zip file was hidden in the image:

This gave us a zip file, 8702.zip, which was password protected. Using John, this was crackable:

We use zip2john 8702.zip > output.txt to make the zip file a readable file for john and we go for the hash with john.

  • zip2john 8702.zip > output.txt.
  • john output.txt.

Ok now since I found the zip password “alien” . Now I can unzip it and view the To_agentR.txt file

‘QXJlYTUx’ looks like a base64 string let’s try to decode it.

Now, let us try and use steghide on the other image with our our newly found password for extraction:

 I’ve tried to view the content of the extracted hidden files “message.txt” using the “cat” command.

In this message, we find the name of the other Agent, james! We also find his password, hackerrules!

#Capture the user flag

Now we’ve the username and password, let’s try SSH, the command is “ssh james@IP”

When we logged in to the system we find the user flag in our current directory.

There was an image “Alien_autospy.jpg”. I downloaded the image to my machine with scp.

Doing a google image search, finding the name was simple: “Roswell Alien Autopsy”

#Privilege escalation

I tried viewing are there are any programs that I could be able to run as some other user without providing their passwords using “sudo -l”

It looks like we can run /bin/bash as any user except the user root. I did a quick google search and found that Security Bypass vulnerability in the sudo versions < 1.8.28

Any user id that is equal to 0 is considered as a root user (Symbolic form of representing root => #). So the way I think of “#-1” is like 0 – 1 = 0, machine consider -1 as a root user.

Now we’ve got accesses as root user, let’s list out content in the current directory using the “ls” command and we find only user flag. In order find the root flag we switched our directory to root directory and we got the flag. Using the cat command we found the root flag, Hooray!

Conclusion

I believe, you have enjoyed this room. We’ve learned a lot of different tools and have gained a better understanding of them. All in all, I believe this room is a great room for beginners. I would like to thank TryHackMe for making this box free (without being subscribed) and the author of the box DesKel.

Published by Rajendra

I am an Industrial Automation Engineer with 15+ years of Experience in Operational Technologies such as Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) software, and Distributed Control Systems (DCS) such as Siemens PLCs, PCS7, Rockwell PLCs, GE Proficy iFIX SCADA, Proficy Historian Kepware/Matrikon OPC servers, IoT gateways and Industry 4.0. I have Solid knowledge in cGxP, s88, s95, GAMP5, Data Integrity, 21CFR Part11.Besides I am familiar with Industrial control system security, vulnerability analysis methodologies, security policy development and validating the security of systems, Penetration Testing, Red Teaming, IEC 62443 Security Framework, NIST etc. Also, well experienced in Quality Assurance, Equipment Qualifications, Experience in preparation and execution of validation documents (commissioning/validation plans, test protocols FAT, SAT, IO, OQ and Technical Summary Reports).

One thought on “Agent Sudo CTF Challenge

  1. Pingback: My Journey Into Cybersecurity – My Blog

Leave a comment

Design a site like this with WordPress.com
Get started