Tryhackme: AgentSudo

walkthrough

Intro

Hola folks, This time let’s root AgentSudo from Tryhackme rated as Easy machine.

Initials

export IP=10.10.220.97

Port scanning

rustscan -a $IP --ulimit 5000 | tee rust.txt

Found 3 open ports 21, 22, 80

nmap

let’s dig deep into those ports

nmap -sC -sV -p21,22,80 oN nmap $IP -Pn 

nmap scan results

Further Recon

Tried FTP anonymous login → no luck (not allowed)

Port 80: http

foport 80

found this text on the port 80, Tried changing the user-agent header → no luck

But later the same method worked when I changed the browser and found this

With this we know that the user’s password is weak, let’s brute force it

Port 21: FTP

got the password

found three files on ftp server

Two of them were images, which I thought as Rabbit hole (same as last one) XD

and the another file contains a note

And with this note, I got to know that the images are not rabbit hole :D

After digging deep, I found one zip file inside one Image

The file is found to be encrypted. First convert the file to john readable

/usr/sbin/zip2john <image_name> > forjhon

Now crack it using john

After cracking, the zip file contains another note

That weird word is fishy, checked it on cyberchef.io and found it is base64 encoded XD

I checked for another image and uses this as password and it worked!! :o

Again that file contains another note, (I was like how many notes are left XD)

And we got the ssh password on this note, yayee

User

Login to ssh and we got the user flag

Root

First thing to do when you the user’s password is

sudo -l

This tells us that the user james can run any command as root except /bin/bash

Actually there’s a CVE (CVE-2019–14287) on this named “Sudo Security Bypass” and the fun part is I learned about this CVE/bug the same week XD
learn more about this CVE here

To exploit this, simple run the command

sudo -u#-1 /bin/bash

And we are root

With this we have completed this machine, Thanks for giving time to read this blog (:

|| Room || Twitter ||