Agentd Sudo — TryHackMe — Writeup

TonyRahmos
5 min readOct 16, 2020

--

Hello. I’m Rahmos. Here is my AgentdSudo-Tryhackme writeup. Check it out!

TASK 2

First, let’s check nmap for opened ports on this device.

nmap -Pn -T5 -vv <ip>

nmap

There are 3 opening ports. So:

#1 3 is ans for question 1

An Apache web server is active under this device. So let’s access its webpage.

So we need the right user-agent to access the web. Look at the Hint, we know that the right user agent is “C”.

#2 user-agent is ans for question 2

Let’s change the user agent by any method you want. I will use the dev tool to do it. After changing the user-agent to “C”, now we can read the content.

So, we know this user’s name is Chris, and also one more important information: week passwd!

#3 chris is ans for question 3

TASK 3

Now we know the user name, let’s crack his password using Hydra.

hydra -l chris -P /your-wordlist-path ftp://<ip>

Hydra

Now we know the password is: ******

Enter that password to question #1

Now let’s ftp to the machine.

ftp

Successful! Let’s try some cmd to list file. Error! So we need to enter passive mode.

type passive and enter

passive mode

Here we go! We see there are 3 files within that directory. Let’s cat content of the txt file.

get To_agentJ.txt -

  • specify the “-” at the end will help us to cat the file directly, no need to download to our machine.
txt file

So now we know that the password for agent J is stored inside 1 of these 2 photos.

Let’s download all 2 photos to our machine.

get cute-alient.jpg cutie.png

get photos

Let’s find it’s metadata. I will use Jeffrey Friedl’s image exif.

Eixf cute-alien.png
Exif cutie.png

Nothing useful. So let’s try steghide to extract hidden data inside this photo.

steghide — extract -sf /path-to-cutie.png

steghide cutie.png

Note that steghide cannot be used with .png format image, so let’s try the cutie-alien.jpg.

First of all, we need to crack the steghide password of this image. I’m using stegcracker. You can download it here: https://github.com/Paradoxis/StegCracker

stegcracker /path-to-cute-alien.jpg

By default, it will use the rockyou.txt wordlist, or you can choose your own wordlist by specify -w flag.

Stegcracker

Cracked successfully! So the steg password is “area51” and you can see the secret content at /path-to-alient.jpg.out

#3 area51 is ans for question 3

Let’s see the secret message.

cat /path-to-cute-alien.jpg.out

secret message

So, now we know the agent J is “james” and his password is “hackerrules”

#4 james is ans for question 4

#5 hackerrules! is ans for question 5

However, there is also a “zip” password question left! So i think it’s hidden in the cutie.png. Let’s find out by binwalk.

binwalk /path-to-cutie.png -e

Here we go! There is a 8702.zip in this image. Let’s crack this zip’s password using john.

zip2john /path-to-8702.zip > output.txt

john — wordlist=/path-to-wordlist output.txt

After john has cracked the password, type:

john — show output.txt

zip’s password

So the password is “alien”.

#2 alien is ans for question 2

Now ssh to the machine!

TASK 4

sshpass -p hackerrules! ssh james@<ip>

ssh

#1 Here we got the flag for question 1

Now let’s copy the photo to our machine using scp. In your machine terminal (not the ssh terminal), type:

scp james@<ip>:/home/james/Alien_autospy.jpg /destination-path

scp

Here we got the image. Let’s find some information about this image using reverse image search. The hint says “Foxnews”, so let’s find anything related to Foxnews with this image.

Fox News

Finally we found the answer.

#2 Roswell alien autopsy is the ans for question 2

TASK 5

Let’s find a way to get root!

First, try sudo -l so see what command can James run as root.

Unfortunately, we cannot run any commands as root on this machine. So let’s try another way: find version of sudo and search for exploit

sudo -V

sudo version

Sudo is running as version 1.8.21p2. Search for this version’s exploit and we’re leaded to a CVE.
https://www.cybersecurity-help.cz/vdb/SB2019101501

#1 CVE-2019–14287 is ans for question 1

Now run the exact command to get root!

sudo -u#-1 bash -u

get root

Now, I’m root! cat root.txt to see the flag.

the flag

Now we see the root flag and also the Agent R’s real name: DesKel

The end.

HAPPY HACKING

--

--