THM Agent Sudo Walkthrough


Greetings earthlings! Welcome back to another walkthrough, this time for the Agent Sudo room by TryHackMe. Hoody on, coffee brewed, let's go!

Deploy the machine, and click the box to say you've done so, easy points right there.

As always, we will start with an nmap scan, see what we are dealing with here:


We have FTP on 21, SSH on 22 and a http web server running on port 80. There's no anonymous log in on the FTP server, so I'm going to start with the web server. Set Gobuster running, and let's browse the page whilst we wait for the results.

Nothing interesting back from the gobuster scan, but the webpage gives us a bit of a clue, it says we need to change our user-agent in order to access the site. There is a great guide of how to do this in Firefox here. After trying a couple of obvious guesses (using Agent R as a starting point), I get the right user-agent and the webpage changes to this:


So now we have a potential username, and the indication that this user has a weak password! As we found no login pages with gobuster, I'm going to try and use this information against the FTP server. Time for THC Hydra and a bit of brute forcing.....


All Hail Hydra!

Username, tick. Password, tick. Login....




Tick.

Let's grab all the files and get out of there.


I like it when servers say goodbye, it's very polite!

The text file tells us that that one of the agent's login details are stored within an alien picture. Sounds like steganography to me. We can run steghide to see of there's anything there in the images we got from the server.


Hmm, I don't think I've missed anything that could have contained a password for the steganography, so that hasn't worked. Let's try a different tool instead.


That's more like it, we've got a zip file. A password protected zip file of course, it's never that straight forward! Not to worry, we can use zip2john to brute it wide open.


These folk need some education on strong password usage. Now we can unzip the folder and view the text file within.



Looks like a password to me! I'm going to go ahead and try it against the other image that steghide struggled with earlier.


Nope.

Possible encoded? I'll see what CyberChef has to say about this.

That is definitely a password this time! I should have probably noticed the Base64 encoding in the first place, but no worries, we know we are right now.


No explanation needed for the above. It's time for SSH and the user flag.


The other question is asking about the incident shown in the photo, if you don't recognise it then copy it to your box with scp, and then a quick reverse image search on yandex will give you the answer.

Now all we need is root....


So that's saying that we can run bash as everyone, but we cant run it as root. Looks fishy to me, there's nothing on GTFOBins, but searching it on duckduckgo gives us a CVE for privilege escalation from exploitDB. Perfect!



Looks good to me. Let's fire the command in and escalate.


Congrats if you followed along and made it all the way here!

Many thanks do DesKel (Agent R) for the box, without you guys creating them there would be nothing for us to break!

Comments

Post a Comment

Popular posts from this blog

THM RootMe Walkthrough

Image
Welcome back geeks (a term of endearment I assure you). Today we are going to do a quick guided walkthrough of the RootMe box by  TryHackMe . Without further ado, start your engines and get ready for the nmap scan. This answers the first two questions: Scan the machine, how many ports are open? What version of Apache is running? It then tells us to perform a directory list scan on the box, and find the hidden directory. Easy enough! Browsing to our secret directory, we find a landing page with what looks to be an upload form. Im going to go straight for gold and see if it will take a php reverse shell. The one we are going to be using is the PentestMonkey PHP-Reverse-Shell. Make sure to edit the shell to contain your IP and listening port before uploading. Nope. Not sure what language that is, but I'm pretty certain it translates as "Nice try, not going to happen". I'm guessing it's a file extension filter, we can try and bypass that by changing our shell to php5.
Read more

Defending against physical intrusion attacks - The under door tool.

Image
Good morning all, how are we doing today? Watch anything good on Netflix recently? Many plans for the bank holiday weekend? Did you remember to deadbolt the office before you left yesterday? Wait… what? Yesterday the postman came. And this is what he brought me: What the hell is that?   Well it’s an under door tool (UDT) of course. A thin piece of flexible metal attached to a string, that can be folded away and neatly concealed in a rucksack, belt, or there are even versions that can be dismantled and stored in a pocket  (great video by the notsocivilengineer - showing a homemade collapsable UDT). So what does it do? And why should I care about your stupid bendy metal rubbish? This tool is designed to bypass the type of doors that are locked from the outside, but open with just an operation of the handle from the inside. They are usually accompanied by an RFID entry system or a code. This means you need to have the authentication to get in, but anyone can get out. And herein lies the f
Read more

THM Brooklyn Nine Nine Walkthrough

Image
Welcome to my walkthrough of the Brooklyn Nine Nine box from TryHackMe.com. This is my first writeup, so apologies in advance for any mistakes. I will try to keep things spoiler free whilst also showing as much information as possible. So without further delay, lets begin. First things first, start both the machine and the Attack Box, this takes a few minutes, so I'm going to grab a brew in the meantime. Hacking doesn't work without caffeine (and a black hoodie of course)! Ok. so coffee is sorted and box is loaded. Lets begin with an nmap scan, we're not trying to be stealthy here so I use aggressive mode with a full TCP connect and scan all ports. THM are known to hide things on obscure ports so best to check them all even if it does take a little longer. Scan results are in! We have port 21 running an FTP server, anonymous login is allowed and looks like we have an interesting file called "note_to_****.txt" . We are also running SSH on port 22 and HTTP on port 8
Read more