Agent_Sudo
Reconnaissance
Figure 1.0 shows that, nmap result for ip 10.10.185.119. As we can see in Figure 1.0 there are 3 open port which is port 21,22 and 80. Let's enumerate port 21 and 80.
Enumeration
Figure 2.0 show a website that have in agent sudo vm. Actually, in this website there is a clue which is 'user-agent'. We can change our user-agent, to observe web behaviour.
To change user-agent you can intercept the request using burp-suite or use extension in your browser like user agent switcher. Figure 3.0 shows that, i change the user-agent from default to R since in Figure 2.0 did mention about Agent R.
Figure 4.0 shows a result after change the user-agent to R. We can see it did mention about '25 employees'. Previously in Figure 3.0, i change the user-agent to R. So, maybe we can try brute-force or fuzzing our user-agent with 25 alphabet.
Figure 5.0 shows that, the user-agent has been change to C and Figure 6.0 shows that there is another webpage is shown after i change it to C. From this webpage, we can know that, C stand for 'chris', there is another agent which is J, and it did mention about 'weak password'. We can try brute-force our ftp login credential using hydra.
Figure 7.0 shows that command that use to brute-force ftp login credential and i use rockyou.txt wordlist. After a few second, we found our ftp credential.
Figure 9.0 shows that there are a few files in the ftp server. We need to download all the file to enumerate if there any valuable information we can use to get into the box.
I open To_agentJ.txt file and found there are hint which is 'store real picture' and ' login password somehow stored in fake picture'.
Detect hidden file in cutie.png image. To extract it, we can use binwal -e <file name> to extract the hidden file.
The zip file we found hiding in the 'cutie.png' was encrypted with password. We can try to crack using john the ripper. We can see in Figure 12.0 there is file 'To_agentR.txt'.
Extract zip hash by using this command:
To crack the hash value:
Show the password:
Figure 13.0 shows that a text message from file 'To_agentR.txt'. There is a base64, we can try decode it.
Figure 14.0 shows a plain text after we successful decode it.
Figure 15.0 shows that, using a steghide to detect if there is a hidden message in the image. We can try using the plain text we just decode it which is 'Area 51' for the passphrase. And yes, the passphrase for the image is Area 51.
After reading the message.txt file, it give a few information that could be a credential for the ssh connection which is
We can confirm the credential by using hydra and yes, we have the ssh credential.
After entering the machine, we can find there is 'user_flag.txt' file. That's the first flag.
Privilege Escalation
For Privelege Escalation part we can try a few method. The method i try is by check the sudo version. By running command:
The sudo version for the box is 1.8.27. After searching it at exploit-db i found the public exploit for the sudo version we can try it. Download the script and transfer it to the target machine. Run the exploitation and yes we have root privilege.
For this exploitation we need to know the password for user since the machine ask the password in order to execute the exploitation script.
Find root flag
To find the root flag we can try using find command.
Last updated