Agent Sudo

Agent Sudo

Welcome to another THM exclusive CTF room. Your task is simple, capture the flags just like the other CTF room. Have Fun!

First step is to Enumerate the machine. Utilizing Nmap for this

We have 3 ports open (21, 22, and 80)

Looks like we will have to redirect ourselves on the page by using a different user-agent

Using Burp to intercept the request and update the user agent we receive this

Next step is to find the FTP password (using the username Chris)

Tool we are going to use with this is Hydra

There are a few files on here. The interesting one appears to be To_agentJ.txt

I was having some issues locating anything within the images using exiftool or steghide. Using the tool binwalk I was able to retrieve some hidden files from cutie.png

This presents us with a zip file with a password

This will require the assistance of the tool John

Password for zip file is alien

Decoding that in Cyberchef we get the word Area51

After checking into some more steghide documentation, I was able to utilize it to find a hidden message.txt in the cute-alien.jpg file

Now we have James’ username and his password hackerrules! Lets go ahead and ssh in

From here we are also going to grab the image file using scp

Taking this image and reverse image searching.

While attempting my VM froze up. Had to kill and relaunch. Created a different IP at this point

Using TinyEye to reverse image search led us to this article

From here we are going to escalate our privileges

Running the command sudo -l,  we see that james can run /bin/bash with root priv

Google search for (ALL, !root) /bin/bash CVE gives us CVE-2019-14287

https://www.exploit-db.com/exploits/47502

Boom we are now root