Agent sudo Walkthrough : Tryhackme
I started doing CTF for my EJPT exam. Today we are going to do Agent sudo CTF of Tryhackme.
First I did a ping to the IP of the machine to check if it was online or not.
Task 1(Author Note) : NO answer needed
Task 2 :
How many open ports?
Started Nmap scan on the target IP with -sV -O -sC flags to give a version of services running, type of operating system, did default script scan.
The answer to this question is : 3
How you redirect yourself to a secret page?
Started dirb scan in the background but got nothing
As we know port 80 is running so I typed the ip on the browser and got this.
by this, I understood I needed to use Burpsuite, as I have to play with user-agent.
so I changed user agent to R and got this message
so the answer is : user-agent
then changed the user agent name one by one from "A" at "C" I got this message
What is the agent name?
we got agent name "chris"
Task 3:
FTP password
brute forced ftp service with username chris and rockyou.txt wordlist using hydra
ftp password: crystal
Zip file password
After establishing ftp connection downloaded all files to local machine using "get" command.
now we need to analyze those images.
did operations using exiftool and binwalk utilities
here I got to know that there is something zipped with it , so extract it
binwalk -e cutie.png
cd _cutie.png.extracted
now we need to unzip this 8702.zip file but it requires password so use "zip2john" utility to convert this file into john crackable format.
zip2john 8702.zip > hash.txt
john --wordlist /usr/share/wordlists/rockyou.txt hash.txt
which gives us the password "alien"
steg password
now we can unzip this file as we got the password
7z e 8702.zip
now we can read the messsage
this text 'QXJlYTUx' doesn't make any sense so tried to decode it using cyberchef
This gives us Area51.
and this is the password : Area51
Who is the other agent (in full name)?
steghide extract -sf cute-alien.jpg -p Area51
and it gave a txt file named message.txt
other agent name is james
SSH password
With username james with password hackerrules! and I got connection.
password is hackerrules!
Task 4
What is the user flag?
What is the incident of the photo called?
open a new terminal and copy the image to your local machine using the following command
sudo scp james@10.10.216.228:/home/james/Alien_autospy.jpg .
using google image search this image with source fox news
Answer : Roswell Alien Autopsy
Task 5
CVE number for the escalation
while checking the privileges of user james, I found these privileges.
Googled them to check how can I bypass them and got to know this is a vulnerability with CVE 2019-14287
What is the root flag?
executed this command
sudo -u#-1 /bin/bash
and privileges have been elevated now I can read the root flag
(Bonus) Who is Agent R?
from the root.txt file we can see the answer : DesKel
Thank you, Do comment for any optimization Advice.