Agent Sudo — Try Hack Me Room

Task 2 Enumerate

How many open ports?

How you redirect yourself to a secret page?

Main page shows that “use your Codename as User-agent”. One of the use’s Code name is Agent R therefore let’s assume all the Agent’s code name represent 26 letters of Alphabet.

So the Answer is user-agent

What is the agent name?

hint-You might face problem on using Firefox. Try ‘user agent switcher’ plugin with user agent: C

The given hint shows that changing the User-Agent in the request must redirect to another webpage.
First step is to capture the request via Burp and send it to the intruder to further investigation.

Then select the User-Agent and create a brute force attack which contain full English Alphabet

When its running Letter C, status code is Change to 302 which mean redirect
to another URL.
In the Response request has a variable call Location it has a URL

This is the message that shows in that URL

Task 3 Hash cracking and brute-force

FTP password

In the above task we got the username and now we need run Brute force attack using Hydra to get the Password

Command → hydra -l Chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.117.53

So The Password is crystal

Zip file password

Now we Have the username and the password.
Lets now login to the ftp server.

There are 3 file to download Run the Command Get <FILE_NAME>

In Hint it mention that Password is Hidden in the Image files.
Let’s use Binwalk to extract the images

After extraction of the image. There will be a Zip file protected by password.

Let’s use Zip2john to get the Hash of the Zip and using that we can crack the password.

steg password

Now we know the Password lets run the command 7z e <zip_file> to unzip the file
when it is unzip there will be a file call To_agentR.txt

When it is open you can see there is message for agent C a.k.a Chris

To_agentR.txt file had some encoded password. Using Cyberchef we can get the password for that.

Who is the other agent (in full name)?

James

SSH password

We can use the password we obtain from the previous step to get the SSH password. Password hid inside the image. Using steghide secret massage can be extract.

Password is Hackerrules!

Task 4 Capture the user flag

Now Lets login to the system using SSH

there are 2 files in the James home DIR one is USER.TXT and another one is Alien_autospy.jpg

FLAG — b03d975e8c92a7c04146cfa7a5a317

Now let’s Download the that image using below command

scp username@<IP>:<FILE_NAME> <DOWNLAOD_PATH>

To find out the name of the Image article. we need to upload it to Google’s image search engine. This is the article that mention in the internet

What is the incident of the photo called?

Roswell Alien autopsy

Task 5 Privilege escalation

Lets Run sudo -l to find out what type of programs that James can run with SUDO privileges

The Sudo version That run in the James machine is 1.8.21p2. It’s a old version of sudo. lets try to find an exploit for this vulnerability

Doing some research in the google I was able to find an exploit for this, link is provided here

To get the root access need to run this command
sudo -u#-1 /bin/bash

CVE number for the escalation

CVE-2019–14287

What is the root flag?

b53a02f55b57d4439e3341834d70c062

(Bonus) Who is Agent R?

DesKel

--

--

--

Associate security Engineer At Hsenid mobile

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Various Types Cyber Security Breaches

Introducing Hexa Wallet

ISOEH’s Initiatives for The Next Generation Cyber Security

Why is Cybersecurity Important?

Why is Cybersecurity Important?

How to setup your personal 2017 edition to online security

By staking EFUN tokens, you will get EFUN rewards.

Scaling Appsec at Netflix

GQUIC Protocol Analysis and Fingerprinting in Zeek

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mohomed arfath

mohomed arfath

Associate security Engineer At Hsenid mobile

More from Medium

Mr Robot CTF Writeup

Bounty-Hunter-HTB-Writeup

Dig Dug(EASY) — Try hack Me

TryHackMe: [Day 19] Blue Teaming Something Phishy Is Going On