TryHackMe – Agent Sudo Walkthrough

TryHackMe - Agent Sudo Walkthrough

Introduction / About This Walkthrough:

In my walkthroughs I try to provide a unique perspective into the topics covered by the room. Sometimes I will also review a topic that isn’t covered in the TryHackMe room because I feel it may be a useful supplement.

I try to prevent spoilers by making finding the solutions a manual action, similar to how you might watch a video of a walkthrough; they can be found in the walkthrough but require an intentional action to obtain. Always try to work as hard as you can through every problem and only use the solutions as a last resort. If you’re struggling, take heart in the fact that I am also a newbie; if I can find the way through this box, then you can too!

This room can be found at: https://tryhackme.com/room/agentsudoctf

Walkthrough for TryHackMe Agent Sudo

Task 2 – Enumerate

Enumerate the machine and get all the important information.

Task 2 – Question 1

How many open ports?

A standard, no-frills nmap scan is a great way to start any CTF:

Agent Sudo nmap.

Just to make sure, I ran an all ports scan (using the ‘-p-‘ option):

I will also run a version scan on these specific ports so that I can enumerate these services to look for known vulnerabilities.

Looking at the open ports, I am automatically thinking that I should try anonymous FTP login, and visiting port 80 using a web browser. Directory enumeration using a tool like dirb or gobuster also seems likely.

Answer (Highlight Below):

3

Task 2 – Question 2

How you redirect yourself to a secret page?

Since we found that port 80 is open and there appears to be a web server, I like to try manually visiting the default page using a web browser. Sometimes I will also start directory enumeration before manually visiting the port as well.

In this case, I found that the default page gives us the answer to this question:

The default page on Agent Sudo's web server.

Answer (Highlight Below):

user-agent

Task 2 – Question 3

What is the agent name?

There are a few ways to do this, but I decided to use Burp Suite because it provides so much detail into the requests and responses and tools to make things easier.

I started Burp Suite, redirected my browser traffic through it using Foxy Proxy, and refreshed the page. I sent the request to Repeater so that I could look at both the request and response:

Using Burp Suite to intercept the Get request in Agent Sudo.

At this point, I know that I need to change the User-Agent field but I’m not sure what to change it to. We can use Intruder to brute force a wordlist, but this might take a while.

Noticing that the message on the web page is signed “From, Agent R”, I decided to use Intruder with a wordlist consisting of each letter of the alphabet, A through Z.

Using Burp Suite to launch an Intruder attack on Agent Sudo.

First, I replaced the default User-Agent with the value ‘A’, then I added a placeholder value around it so Burp Suite would know what value to substitute for in the attack.

Next I generated my wordlist in the Payloads tab:

Generating payload for Intruder attack on Agent Sudo.

I ran the attack and sorted the responses by length:

Results from Intruder attack on Agent Sudo.

It looks like both ‘R’ and ‘C’ resulted in unique responses. Looking at the responses, it seems like Agent C’s wants to redirect us to a different page, ‘agent_C_attention.php’.

Note the redirect.

Using the browser to navigate to this page I found the following:

Navigating to the secret page on Agent Sudo.

We still need to find a way to gain a foothold, but we have what we need to answer Question # 3.

Answer (Highlight Below):

chris

Task 3 – Hash cracking and brute force

Done enumerate the machine? Time to brute your way out.

Task 3 – Question 1

FTP password

We have a username, and it’s always a good idea to try using credentials anyplace we can. In this case, we know that the machine is running FTP and SSH, and perhaps there is even a web app login. Each of these cases might allow us to use found credentials.

Question 1 directs us to use FTP, so that’s where we’ll start. We have a possible user name “chris”. If chris has a weak password, as indicated by the message, then there’s a good change it is brute force-able.

Newbie Note: We are proceeding with brute forcing the password because we already discovered a potential username. Without a username, we would have to try brute-forcing both username and password which would in general be difficult if not extremely time consuming and/or impossible.

We can use hydra to attempt a password brute force using ftp:

hydra -l chris -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt ftp://<IP>

Cracking the ftp password in Agent Sudo.

Looks like we got credentials! Yeah!

Answer (Highlight Below):

crystal

Task 3 – Question 2

Zip file password

Now that we have an FTP login, we need to see what we can do with it.

Connecting using FTP in Agent Sudo.

First, we can use dir to find what is located in the ftp directory:

Listing the contents of the FTP directory in Agent Sudo.

There are three files here that are definitely of interest. We can get all of them using mget *

Getting the contents of the FTP directory on Agent Sudo.

Exiting ftp, I confirmed that the files transferred correctly and used cat to read the txt file:

Output of To_agentJ.txt on Agent Sudo.

Looks like we have some steganography in store for us.

My go-to tool for steganography is steghide, but it won’t work with .png files and cute-alien.jpg requires a password. Googling ‘steghide png’ led me to this helpful resource from 0xRick. I discovered that foremost can be used to extract data from .png files.

According to the documentation on github,

“Foremost is a Linux program to recover files based on their headers and footers. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.”

https://github.com/korczis/foremost

The foremost tool needed to be installed using apt install foremost, which only took a few moments.

Next I fed it cutie.png using the command: foremost -i cutie.png

Foremost created a new directory named output that contained two directories and a txt file named ‘audit.txt’:

Output of the foremost tool.

It looks like foremost split cutie.png into an image component and a zip component. The zip folder contains a zip file named ‘00000067.zip’. It looks like this must be the zip file that the question is referring to.

Cracking the password will require two steps:

1) Use zip2john to extract the password hash from the zip file
2) Run john (john the ripper) to crack the password

Using zip2john and john on Agent Sudo.

Answer (Highlight Below):

alien

Task 3 – Question 3

steg password

Now that we have the password for the zip file, we can keep digging.

I extracted the contents of the zip file using the password and found that it contained a .txt file named ‘To_agentR.txt’.

Extracting the zip file.

This file references ‘QXJlYTUx’ which looks like Base64 to me. I popped this into cyberchef, which recognized it instantly and enabled decoding using the magic wand tool:

Using cyberchef to decode Base64 in Agent Sudo.

I then tried running steghide against cute-alien.jpg using the command:

steghide –extract -sf cute-alien.jpg

Using steghide in Agent Sudo.

It looks like our CyberChef output works as the password for steghide!

Answer (Highlight Below):

Area51

Task 3 – Question 4

Who is the other agent (in full name)?

This message contains some important details. It gives us the name of the other agent, as well as a ‘login password’. We have credentials!

Getting credentials.

Answer (Highlight Below):

james

Task 3 – Question 5

SSH password

When we got the credentials from the message hidden in cute-alien.jpg, we were given both a potential username and password. It’s always a good idea to figure out where these credentials can be used, including all known services.

In this case, we can try logging into James’ account using SSH:

Logging in using SSH in Agent Sudo.

And…we’re in!

Answer (Highlight Below):

hackerrules!

Task 4 – Capture the User flag

You know the drill.

In most CTF’s there are two primary flags: a user flag and a root flag. They aren’t usually hard to find. They are really just used to prove that we have successfully accessed the machine on a user account (the user flag) and that we have successfully escalated privileges (the root flag).

The user flag is typically in an aptly-named file in the user’s home directory, and the root flag is in a file in the /root directory (on a Linux machine, which constitutes most web servers).

Task 4 – Question 1

What is the user flag?

Once I get a shell, I usually like to figure out what directory I am in using the pwd command, and to list the contents of that directory.

In this case, I am in the /home/james directory (which we would expect), and there is an interesting file called ‘user_flag.txt’. I used the cat command to obtain the flag:

User flag in Agent Sudo.

Answer (Highlight Below):

b03d975e8c92a7c04146cfa7a5a313c7

Task 4 – Question 2

What is the incident of the photo called?

We saw that there is another interesting file called Alien_autospy.jpg in the /home/james directory.

Note that this file is misspelled (not spelled ‘autopsy’!) this tripped me up for a few minutes when I was trying to copy to my local machine using scp:

scp james@<IP>:Alien_autospy.jpg .

Using scp in Agent Sudo.

We can do a reverse image search on this jpg using Google:

Reverse image search Agent Sudo.

Answer (Highlight Below):

Roswell alien autopsy

Task 5 – Privilege Escalation

Task 5 – Question 1

CVE number for the escalation
(Format: CVE-xxxx-xxxx)

Enough with the extraordinary stuff? Time to get real.

Okay, I’m going to level with you…the privilege escalation here requires a trick that is beneficial to learn but is often neglected or not highlighted in most privesc tutorials.

The secret is in the name of the box (Agent Sudo).

It is always good to start looking for a way to escalate privileges using sudo -l. This will give us a list of any binaries that we are allowed to run using the sudo command. Misconfigurations here can easily allow us to gain a root shell, and we can always lean on GTFObins to easily cross-check anything that comes up.

In this case, we see that sudo -l tells us that we can /bin/bash as any user other than root:

Enumerating sudo.

Now if we enumerate the sudo version using sudo -v we see the following:

Sudo -v Agent Sudo

If we google ‘sudo version 1.8.21 exploit’, we find the following result on exploit-db:

CVE Agent Sudo.

Answer (Highlight Below):

Paste and hide answer

Task 5 – Question 2

What is the root flag?

The entry on exploit-db actually tells us exactly how we can exploit this vulnerability.

Remember our results from sudo -l earlier? It turns out that we can exploit the fact that we can run /bin/bash as any user:

sudo -u#-1 /bin/bash

This command will attempt to execute /bin/bash as a superuser with a UID of ‘-1’, which returns 0, the root user.

Privilege escalation Agent Sudo.

Now let’s get the root flag!

Root flag Agent Sudo.

Answer (Highlight Below):

b53a02f55b57d4439e3341834d70c062

Task 5 – Question 3

(Bonus) Who is Agent R?

The answer is in the root flag message.

Answer (Highlight Below):

DesKel

Conclusion

Overall, I really enjoyed this room. I spent a good amount of time (malding) on the privilege escalation, including cross-checking service and OS versions repeatedly. The answer turned out to be an out-of-date sudo version, and I added this to my privilege escalation notes.

A huge thanks to tryhackme for putting this room together!