Agent Sudo
A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
Let’s start with nmap scan
-A: aggressivescan :basically it runs scripts for common things so you can better understand what you can find useful and what is useless.
sV : version detection:great for searching exploits related to that version of the running services
Pn:Treat all hosts as online:skip host discovery
sC: equivalent to script=default
You can type “ man nmap “ view summary options.
Discovered three (3) open ports. FTP, SSH and HTTP running on Operating System Linux.
Let us enumerate the server with gobuster directory search.
Tried other directory wordlists and could not find anything significant other than index.php with 200 status code. Rest of the directory search resulted with status code as 403 which means the server refuses to authorize it.
Let us browse the <Target Machine IP> as it is running HTTP Services.
With nmap scan , the first question can be answered ?
The second question to be answered :How you redirect yourself to a secret page?
We have the mail from Agent R and we know what the secret page seems to be . So we have answered the second question.
Notice the alphabets of the agents which are Single Character Alphabet Capatilazied.
We still do not know the agent name as we will have to find the secret page that contains the user name.
I looked at the page code and also cookies if something can be used to enumerate. There was nothing significant I could find.
In BURP suite you can intercept the page , send to repeater and modify the content and test it for any response. It is sometimes good to remember that BURP suite will come handly for web enumeration.
I started the BURP suite and intercepted the traffic as shown.
Step 1
- Open the <Target Machine IP> in Browser.
- Set Intercept “ON”.
- Enable FoxProxy in the Browser.
In the burp intercept you can find User-Agent. From the earlier enumeration we noted that Agent R sent mail. Let us send the request to the repeater and replace the User-Agent with R.
Click on “Send” and you can find a successful response. We need to replace “R” with one of the alphabets and find out which one is successful to enumerate more.
We can send the earlier intercept request to the intruder and check which alphabet is successful .
- Send the intercept request to “Intruder”.
- Highlight the User-Agent Row and Click on Add. You can find a sysmbol added at the beginning and end.
- Go to the next tab Payloads and in the payload options add alphabets. You can add all the alphabets and for testing purpose I added few alphabets. If none of it work, I will have to add all the alphabets.
- Click on Start Attack.
- From the length you can find the User-Agent was C. You will have to sort by length.
- Let us go to repeater and replace R with C. Click on Send.
- You can find the Location Changes.
- Copy the Location Path , go to broswer and type <Target Machine IP>/Location Path
- We got the Agent User Name .
- On the Burp Suite Request Side, if you click on Follow Redirection Button you will find the same response as what we got from Step 9.
- Let us close the BURP Suite.
We got the username of User Agent “C”. Let us bruteforce the password for Agent C using Hydra on FTP port.
After we get into the ftp with the credentials we found above we must look for what’s inside the ftp client.
We found 3 files. I’m going to get them all to my local machine with the get command.
I read the To_agentJ.txt and I found out.
Always check file type.
Often time in CTF’s you will come across files that have a different nature then its file extension. You Should know how to identify file types regardless of its extension.
$ file <file-name>
$ binwalk<file-name>
Rename the cutie.png to cutie.zip. Using unzip command was not successfull and terminated with an warning need PK compact version.
Similar to steghide , we can use binwalk to extract the information.
Type # binwalk -e cutie.zip and the contents will get extracted to a directory.
Navigate to the folder , you can find a zip file which is password protected. Crack zip password with John the Ripper.
Navigate to the folder where John is installed and locate if zip2john is avaialble.
Extract the information and write it to a file called hash.txt
The contents in hash.txt needs to be cracked using John. Type ./john <hash.txt>. Within few seconds the password for the zip is cracked.
After supplying the credentials , you can view the information in To_agentR.txt file.
It seems to be encoded and we need to decode using the command. Copy the encoded value and save it in a file steg.txt.
Type the command # base64 -d <steg.txt>
The password is written to stegpassword.txt. Now you the password to extract infromation from the image cute-alien.jpg
We got the other user name and the password of james. We can try SSH into the box.
I found the user.txt flag and and there was an image “Alien_autospy.jpg”.
Start a Python http server
In the attacker machine open browser and type the Target Machine IP and port.
Click on the image and save it in a directory. There is a hint which mentions reverse image and fox news.
Go to google.com
Click on the camera icon and click in upload an image. Search items is listed for the image uplaoded.
Type fox news after the word adam dew and press enter.You can item related to the search. Click on the link and we can answer the question What is the incident of the photo called?
I did a sudo -l command here and a sudo -V in order to find something useful to exploit for privesc.
It looks like we can run /bin/bash as any user except the user root. I did a quick google search and found that Security Bypass vulnerability in the sudo versions < 1.8.28. You can get the answer for the CVE Details.
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root's idIn the terminal type # sudo -u#-1 /bin/bash.
After you become root you can get the answer for both of these questions together. :)
Thank you very much for reading. If you find that useful give me a clap and if there is something you would add contact me :)