🚩
Anthony Morell's Gitbook
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
  • 🖥️CTF Writeups
  • 🟦TryHackMe
    • THM Overview
      • Reverse Engineering
      • Game Server
      • Obscure Web Vulns
      • UltraTech
      • Linux Privilege Escalation
      • The Marketplace
      • RootMe
      • Agent Sudo
      • Startup
      • Lian_Yu
      • Advent of Cyber 2022
        • [Day 1] Frameworks
        • [Day 2] Log Analysis
        • [Day 3] OSINT
        • [Day 4] Scanning
        • [Day 5] Brute-Forcing
        • [Day 6] Email Analysis
        • [Day 7] CyberChef
        • [Day 8] Smart Contracts
        • [Day 9] Pivoting
        • [Day 10] Hack a game
        • [Day 11] Memory Forensics
        • [Day 12] Malware Analysis
        • [Day 13] Packet Analysis
        • [Day 14] Web Applications
        • [Day 15] Secure Coding
        • [Day 16] Secure Coding
        • [Day 17] Secure Coding
        • [Day 18] Sigma
        • [Day 19] Hardware Hacking
        • [Day 20] Firmware
        • [Day 21] MQTT
        • [Day 22] Attack Surface Reduction
        • [Day 23] Defence in Depth
        • [Day 24] The End
  • 🟫PentesterLab
    • PL Overview
      • Recon Badge
        • Badge Solutions
  • 🟩Hack The Box
    • HTB Overview
      • HTB Post
  • 🟧BurpSuite Academy
    • BSA Overview
      • GraphQL API vulnerabilities
        • Accessing private GraphQL posts
        • Accidental exposure of private GraphQL fields
        • Finding a hidden GraphQL endpoint
  • 🏁Competitions
    • Competition Overview
      • GM Bug Bounty Competition
Powered by GitBook
On this page
  1. TryHackMe
  2. THM Overview

Agent Sudo

November 22, 2022

PreviousRootMeNextStartup

Last updated 2 years ago

Enumerate

Upon launching the box and entering the site, I am greeted with this:

I check if any extra directories exist and do a nmap scan to find some access points. No helpful directories exist but there are 3 ports open ftp, ssh, and http.

Next, I looked into the user-agent codenames, and at first I was confused about how to approach this and what my input should be. Eventually, I found that the user-agent should be altered to match some alphabet letters. After trying A, B, and C, I got this message with C as the user-agent:

Hash Cracking and Brute Force

Now that I had a username I can attempt brute forcing the ftp service. Hydra works perfectly and fetches the password "crystal".

There were a couple of files to extract with 2 being .png and 1 being a .txt file. The text file stated this:

I then used binwalk to extract out information from at least one .png file. I was able to receive a folder called "_cutie.png.extracted". Upon opening that directory I found a zip file that was password protected. This requires a tool like john2zip to get the hash and then use john to extract the password to unzip the file.

Once unzipped, I opened a message that contained a potential password, however, it was not working as a valid credential so I figured that something was not complete.

After a base64 decoding, I got this password.

After all that, I used steghide against the untouched .png file. It prompted a password as expected, and delivered a text file.

Capture the User Flag

ssh into the user with the credentials and get the user flag. Next use scp james@<IP>:Alien_autospy.jpg ./ to get the image onto your attacker machine. You can view the message and drop it into a reverse image bin then use some keywords from the image plus "Fox News". You should quickly be able to find what the photo incident is referring to.

Privilege Escalation

Lastly, check james privileges with sudo -l and you will notice james can run all commands except root on /bin/bash.

Simply searching (ALL, !root) /bin/bash will show an exploit from exploitdb.

CVE-2019-14287 https://www.exploit-db.com/exploits/47502

After reading through the exploit you can find this sudo -u#-1 /bin/bash. This grants root access and you can then retrieve the final flag!

🟦
  • Enumerate
  • Hash Cracking and Brute Force
  • Capture the User Flag
  • Privilege Escalation
LogoTryHackMe | Agent SudoTryHackMe