Jasper Alblas
TryHackMe: Agent Sudo - Walkthrough
Hi! Welcome to this walkthrough on the TryHackMe room Agent Sudo. In this CTF challenge we get to hack inside the server to reveal the truth. Sounds awesome right?
Room URL: https://tryhackme.com/room/agentsudoctf
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Task 1: Author note on Agent Sudo
Not much more to do here than so say hi, and let’s have some fun!
Questions
Deploy the machine
Answer: No answer needed
Task 2: Enumerate Agent Sudo
Enumerate the machine and get all the important information
Questions
How many open ports?
I first tried running nmap regularly, but this did not return any results, as this is likely due to the machine not responding to pings.
Therefore I switched to using the -Pn flag which treats all hosts as online. Here we see that 3 ports are running on the host: port 21,22 and 80.
Let’s get more info on them by using the -A flag. The -A flag runs a variety of scans, such as version and OS scans, as well as some scripts.
Three ports are open.
Answer: 3
How you redirect yourself to a secret page?
We can a service running on port 80. Port 80 is typically used for HTTP (Hypertext Transfer Protocol) traffic. It is the default port for web servers to serve web pages over an unencrypted connection. Let’s try looking at it in the browser by entering the target ip:
Well, we get a hint here. User-agent is a request header we can set when sending requests.
Answer: user-agent
What is the agent name?
We can use Burp Suite to intercept the request and edit the User-Agent header before sending it forward.
I thought it would be smart to use R as User-Agent as that is the name written on the main page.
This shows us the following page:
This is actually a hint. Since the head agent is called R, and he mentions 25 other employees, my assumption was that all agents are called by a letter (since we have 26 letters in the English alphabet).
I first tried adding A as user-agent, followed by B. This did nothing. But adding C redirects us to the following page:
Great! And even better, Agent R mentions a weak password.
Answer: Chris
Task 3: Hash cracking and brute-force
Done enumerate the machine? Time to brute your way out.
Questions
FTP password
Okay. We need to get the FTP password. We know that the username of the agent is either C or chris. Let’s try chris first. We will use hydra to crack the password, although we could also use a Metasploit module (ftp_login) or other tools.
hydra -l chris -P /usr/share/wordlists/rockyou.txt ftp://<target ip>
This quickly gave us the password:
Answer: crystal
Zip file password
Let’s enter the FTP with our newly aquired credentials:
You can use mget * to download all files.
Now we can read the txt file, which is adressed to Agent J:
It points us to a fake and a real picture. The fake picture hides the login password for Agent J.
There are different terminal commands to investigate the images. We can use the file command, but nothing seems strange in its ouput. Another possibility is using exiftool, which helps us to read the meta information of image files:
exiftool cutie.png
It mentions a warning: Trailer data after PNG IEND chunk.
Let’s dump the file to hex format by using xxd. We do this so we can read it more easily:
xxd cutie.png
Hmm..some interesting text. This can also be seen when running strings cutie.png.
The last tool we can use is binwalk. Binwalk is a tool that allows you to search binary images for embedded files and executable code. Let’s try this out:
binwalk cutie.png
There we have it! We have a hidden zip file hidden in the image, which hides a txt file called To_agentR.txt.
We can extract the file by running the same command, together with the -e flag.
binwalk -e cutie.png
We can find the files in the _cutie.png.extracted folder.
But the zip file is protected by a password. Luckily, we can use the zip2john tool to convert the zip to a hash, so it can be cracked by john:
zip2john 8702.zip > hash.txt
Now we can crack it with john:
john hash.txt
We got the password. It took quite a few steps to get here. Good job 🙂
Answer: alien
steg password
Now we can open the zip file and read the txt file. We can do this with the following command:
7z e 8702.zip
This extracts the text file, which we can read with cat.
More clues. QXJlYTUx looks out of the ordinary. It looks base64 encoded.
We can try decoding it here:
This gives us area51.
Answer: area51
Who is the other agent (in full name)?
Now, this one was a bit trickier to be honest. We need to use steghide, which is used to find hidden files in image/audio files. While there a hidden zip in the cutie file, the is a text message hidden in cute-alien.jpg:
Run:
steghide extract -sf cute-alien.jpg
This was the message agent C mentioned earlier! We found a message, together with a username and password!
Answer: james
SSH password
Answer: hackerrules!
Task 4: Capture the user flag of Agent Sudo
You know the drill.
Questions
What is the user flag?
This one is easy. Simply login to the SSH service with the username and password discovered in the previous step
Answer: b03d975e8c92a7c04146cfa7a5a313c7
What is the incident of the photo called?
Exit the SSH service, and copy the jpg file from the SSH service to your system with the following command:
sudo scp james@<target ip>:Alien_autospy.jpg ~/
Now it is time to do a reverse image search at https://images.google.com/. Use the search with image option and select the image.
The image is used in the following article:
Here we can read the name of the event.
Answer: Roswell alien autopsy
Task 5: Privilege escalation
Enough with the extraordinary stuff? Time to get real.
Questions
CVE number for the escalation (Format: CVE-xxxx-xxxx)
Log back in on the SSH service with james. Try and see what commands james can run by running sudo -l.
This part is interesting:
(ALL, !root) /bin/bash
It means that we are allowed to run /bin/bash as any user except the root user.
Let’s see if we can find out more by googling. I came across the following page on exploitdb about how this can be exploited:
https://www.exploit-db.com/exploits/47502
This has the following CVE number: CVE-2019–14287. It allows us to get root access by running:
sudo -u#-1 /bin/bash
Answer: CVE-2019–14287
What is the root flag?
Gain root access by entering the above command. Then change directory to the root and find the root.txt file.
Answer: b53a02f55b57d4439e3341834d70c062
(Bonus) Who is Agent R?
The answer is in the same text file as the root flag.
Answer: DesKel
We are done! I hope you learned a lot by following along with this walkthrough on the Try HackMe: Agent Sudo room.
Like my articles?
You are welcome to comment on this article, and please share it with friends.
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
