Open in app

Sign in

Write

Sign in

Agent Sudo | TryHackMe

Nihir Zala
4 min readJan 28, 2023

--

We Started with Nmap Scan to know the open ports.

We got 3 ports so first, we checked port 80 on browser for the webpage.

So from the webpage, we see an announcement for the Agents from Agent R. The tryhackme hint was to change the “User-agent” with “C”. So we started Burpsuite to intercept the request.

After capturing the request we modified the “User-agent” with “C” and forward the request.

After we got a success message on Burpsuite so we checked the webpage.

We got an Agent Name and from the message, we know that the password of the Agent is weak so now we can Bruteforce FTP with Hydra.

Now we know the password for the Agent we can log in through FTP.

We have successfully logged in through FTP and we checked for the content and we got images and a text file we downloaded all the files using “get command”.

By viewing the “To_agentJ.txt” file the message was login password for the chris is stored in the fake picture.

So we use “Steghide” to retrieve some hidden info and also checked by “ExifTool” for the “cutie.png” file but nothing came up after we tried with “binwalk” and we got a zip file inside the “cutie.png” file and extracted it from “cutie.png” but it was encrypted.

So we used “zip2john” to crack the zip file for password with this command

./zip2john 8702.zip > Output.txt

and then we used john to crack the hash.

We got “a****” a password so we tried to extract the zip file but unzip command didn’t work so we used this command

7z e 8702.zip

After entering the password and extracting the zip file we got this message.

This message was from Agent R we decoded this ‘Q*******’ message using Cyberchef. Cyberchef suggests auto decoding.

We got the password Now only images file left is “cute-alien.jpg” so we used the “steghide” tool to retrieve hidden info.

The info got extracted to “message.txt” after viewing the message we got username and password.

Now we logged in through SSH into the machine using the username and password we found now we can read the user flag

Privilege Esclation

We checked for the permission the user has with “sudo -l” command.

We searched on google and we got a vulnerability for Sudo for version 1.8.28 so we checked the version of sudo

Our sudo version is lower from 1.8.28 so we can exploit the machine.

You can read about this vulnerability

CVE-2019–14287

Well, we are root now! You can find the root flag easily.

Tryhackme
Tryhackme Walkthrough
Hacking
Cybersecurity
Ctf Writeup

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

38 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams