Yusuf Bilal Batır tarafından yazılmıştır.
Hello everyone, in this article we’ll be solving the room named “Agent Sudo”. Let’s start straight off.
Room: https://tryhackme.com/room/agentsudoctf
In order to gather information about the target we perform an “nmap” scan.
nmap
As we have observed there are 3 ports up. These are the ports 21 (FTP), 22 (SSH) and 80 (HTTP). We have the 80th port running so we have a website we can go through.
anasayfa
As you can see above the screen shot, it’s asked us to change the user-agent request which is being sent to the target to our codename by using Burp Suite. Let’s handle it at once
In order to change the request that is being sent to the target, we refresh the website page by entering the Proxy>Intercept tab in the Burp Suite.So we see the request that was wanted to change. When we change the “User-Agent” value in the third line to the “C” we are directed to another agent’s page.
useragent
agentC
The page we were directed is: http://10.10.212.66/agent_C_atte*****.php
In the page that we were directed there is a note about a weak password belonging to the agent ch***. So we have found the user that is going to be targeted. As it’s asked us to find out the FTP servers’ password we are going to perform a brute force attack against the FTP server in the target by using the username that we have gathered. In this stage we can use the hydra tool.
-l parameter refers to username, -P parameter refers to wordlist. When we launch the tool, we get the result.
hydra
Now by putting the information that we have gathered to the filezilla we connect to the FTP server.
filezilla
We have 3 files on the server, let’s check whether we can find something valuable. When we examine the cutie.png file with the binwalk tool, we see that there are 3 files hidden in the picture. Let’s leak them out.
We use these codes.
binwalk.
Now let’s start cracking the hash with the john tool.
Operation successful!
john
When we enter the password and extract the file we encounter such content.
agentr
A part of the text is given in base64 format. We can decode it by using any online decoder. When we solve we get “Are***” output.
Remember we were given a jpg file, let’s check it out by using the steghide tool. To see the content we are asked a password. Now by using the text that we have just decoded (“Are***”), let’s try to login. It’s done!
steghide
When we open the file there is a message that gives us username and SSH password, so let’s login.
We logged in the SSH, now let’s read the user flag.
user.txt
Now it’s time to escalate our privileges, firstly let’s check what privileges we have.
sudo-l
We have access to all directories except the root directory, but we need to access that one. When I googled for that particular situation, I encountered this website: https://www.exploit-db.com/exploits/47502 . In order to use the exploit, create a python file and paste the codes in the website above and then run it.
After entering the username, now we are root! Now let’s get the root flag.
root.txt
For more content keep following!
[TR] TryHackMe Agent Sudo WriteUp
Hello everyone, in this article we’ll be solving the room named “Agent Sudo”. Let’s start straight off.
Room: https://tryhackme.com/room/agentsudoctf
Enumerate
In order to gather information about the target we perform an “nmap” scan.
nmap -A 10.10.212.66
nmap
As we have observed there are 3 ports up. These are the ports 21 (FTP), 22 (SSH) and 80 (HTTP). We have the 80th port running so we have a website we can go through.
anasayfa
As you can see above the screen shot, it’s asked us to change the user-agent request which is being sent to the target to our codename by using Burp Suite. Let’s handle it at once
In order to change the request that is being sent to the target, we refresh the website page by entering the Proxy>Intercept tab in the Burp Suite.So we see the request that was wanted to change. When we change the “User-Agent” value in the third line to the “C” we are directed to another agent’s page.
useragent
Hash cracking and brute-force
agentC
The page we were directed is: http://10.10.212.66/agent_C_atte*****.php
In the page that we were directed there is a note about a weak password belonging to the agent ch***. So we have found the user that is going to be targeted. As it’s asked us to find out the FTP servers’ password we are going to perform a brute force attack against the FTP server in the target by using the username that we have gathered. In this stage we can use the hydra tool.
hydra -l ch*** -P rockyou.txt ftp://10.10.212.66
-l parameter refers to username, -P parameter refers to wordlist. When we launch the tool, we get the result.
hydra
Now by putting the information that we have gathered to the filezilla we connect to the FTP server.
filezilla
We have 3 files on the server, let’s check whether we can find something valuable. When we examine the cutie.png file with the binwalk tool, we see that there are 3 files hidden in the picture. Let’s leak them out.
binwalk cutie.png
binwalk -e cutie.png
We use these codes.
binwalk.
Now let’s start cracking the hash with the john tool.
john a.hash
Operation successful!
john
When we enter the password and extract the file we encounter such content.
agentr
A part of the text is given in base64 format. We can decode it by using any online decoder. When we solve we get “Are***” output.
Remember we were given a jpg file, let’s check it out by using the steghide tool. To see the content we are asked a password. Now by using the text that we have just decoded (“Are***”), let’s try to login. It’s done!
steghide extract -sf cute-alien.jpg
steghide
When we open the file there is a message that gives us username and SSH password, so let’s login.
ssh ja***@10.10.254.155
Capture the user flag
We logged in the SSH, now let’s read the user flag.
cat user_flag.txt
user.txt
Privilege Escalation
Now it’s time to escalate our privileges, firstly let’s check what privileges we have.
sudo -l
sudo-l
We have access to all directories except the root directory, but we need to access that one. When I googled for that particular situation, I encountered this website: https://www.exploit-db.com/exploits/47502 . In order to use the exploit, create a python file and paste the codes in the website above and then run it.
nano exploit.py
python3 exploit.py
After entering the username, now we are root! Now let’s get the root flag.
root.txt
For more content keep following!
Moderatör tarafında düzenlendi: