Hello Readers! Today Today's walk through the Agent Sudo CTF machine from Tryhackme. This box is very complex and tricky . This box is also design where we can get the root flag with privilege escalation too.
Let’s Do It
Most of the Boxes are outstanding and it is one of them. This Box taught me many new technique for more enumeration, OSINT, stenography and cryptography use.
Deploy the machine and get the IP address.
Today I introduced new scan rustscan which have nmap bind in it which is faster than nmap tool.
rustscan <IP ADD>
After get rustscan result, I will check the web service which is running on port 80.
As there are other 22-SSH and 21-FTP is also open.
Let first check the web page.
I am not able to find more details so i decided to check this site using BurpSuite tool.
Follow the steps shown in snap.
It understood this is related to the BurpSuite. So I forward the request to the BurpSuite.
But I was not able to figure out what I have to use, So it took some time for try and test method and then eventually I able to understand “R” is the agent name and this is some kind of code, So I should try with A, B, C and so on. Here am using page enumeration technique using BurpSuite.
I got some result with character C. When I was trying to intercept the request.
After getting the C I have to check the same on the Web page.
Response to this request and check the web page
We can redirect the page agent_C_attention.php. Here I can find the clue.
After checking the web I got the user name and note as state that user is using some weak password. In case of weak password I have try to crack it with hydra.
So hydra help us to crack the password. After getting user and password I have to try to access the FTP service which I got from the nmap scan.
After successfully FTP connection. Now I have download all the all files from the ftp. Now I need to check them and see if there is some information inside. You can used command mget or get or used browser to download the files from FTP.
I found the text file so that approach to check this first for any information.
This message is clearly saying I have to check for the picture for some data stored in it. So Here I have to use binwalk to extract any content inside the image.
After extraction I got one complete new directory, So that I have to check the that folder.
So here I found multiple files inside and there also one zip file.
Here the zip file is asking for password to extract.
So with help of the zip2john tool I will be cracking the file.
Password of the cracked file is visible after using john tool.
Follow the snap to do same.
After cracked the zip folder password, then I will be extracting the same zip folder with the help of 7z.
After I unzip the folder I can see that my old empty file To_agentR.txt(2) has new file from the archive data. So I have to check that file again.
After getting the new data, I can see that this is some type of coded 'QXJLYTUx' value and I need to decode it. So I go the base64.
After the password I have go to the folder and try to use the steghide to get the hide information inside the image cute-alien.jpg.
Here I got one extra file i.e message.txt. Let me read the content of the file.
After reading the file I can see that there is message to some user with login password details. So I have to try these details to login into ssh.
After login inside the ssh I got the user.txt.
So there is one more interesting image here, I need to download this image into local system and check it. So I have to put in FTP folder as we know the FTP is accessible to us.
Let's download this file. Follow the step from below snap.
I have download the image and when I open the image it was some like of alien picture, So I check the same image on the google.
Let's follow the news link to get more details about this incident.
So I redirect to the link which has this image and reading the article it was clear what exactly was this image related to.
After get the user.txt, I need to escalate my privilege and get the root shell. So I will search of the exploitable services from where I can get root shell.
Here I can find the details using command sudo -l.
After that I get details of currently running sudo version.
I found that this is vulnerable to bypass sudo security version.
https://www.exploit-db.com/exploits/47502 - Find the details here.
Now after applying the exploit I got the root shell and now I have to read the final flag.
Follow the snap for steps to execute root access.
I found the root.txt
Finally I got all the answer for the room.
Thanks for reading and I hope you liked this blog.
Happy Learning!!!