THM - Agent Sudo

Okay so I need more hands on time for some Red-Teaming as I'm pretty far behind and can't seem to catch up. Let's do all the easy ones I can find on THM.

Agent Sudo says "You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth."

Out of the box we enumerate with nmap to get there are 3 ports open on a Linux box running Apache.

We can open the URL and view the page, which tells us to use our "codename" as user-agent to access the site. According to the Mozilla MDN site, The User-Agent is a request header - a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.

I wasn't able to figure out how to send it through a web browser but I was able to use one of the writeups to see that we send it through Curl, using agent R's initial

curl -A "R" -L 10.10.109.58 

-A is the user-agent <name> Send User-Agent <name> to server

-L is the location and follows re-directs

Doing this gives us some output, the site now has a header that says "what are you doing! Are you one of the 25 employees? If not, I going to report this incident"

Well that at least tells me that works, it also tells me there's 25 employee's and the web developer doesn't speak good English ;)

Now here's where my thought process took me in a WAY off location from the write-up. Because the clue was a longer hyphenated text, I didn't think to just keep trying alphabet letters - even though one letter alphabet gave me some headway. Let's go through the alphabet here.

Letter "C" gives us something - telling us that C is an agent, named chris (with a weak password) and we have another agent called J:

My thoughts at this point are it's an FTP or SSH login (we gathered those are available from the nmap earlier) with the username chris. We don't know the password but because it's weak we should be able to brute-force it with hydra. Reading the writeup, I was right - so let's do it.

We see there's three files, cute-alient.jpg, cutie.png and a file in there called To_agentJ.txt - so we of course download it and read it. It says:

Dear agent J,

All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.

From,

Agent C

After trying strings and a hex editor on both those files I came up nada - so back to the writeup. Another app I didn't know about - binwalk. binwalk, as per kali.org, is a tool for searching a given binary image for imbedded files and executable code. As we see from the output, one of these things is not like the other.

We see that the png file is actually a zip file in disguise but it's encrypted and contains a text file called To_agentR.txt (which btw, we DID see hidden in the file when we ran strings on it - might be good to note that for the future as it would maybe hint us towards using binwalk for oddities). We run the command below to extract the contents of this file from the png

binwalk -e cutie.png

This puts everything into a folder that we can navigate to, run zip2john and then john to crack the password

When we extract and view the file there, we get this text, which means nothing to me:

Agent C,

We need to send the picture to 'QXJlYTUx' as soon as possible!

By,
Agent R

Following up with the writeup, it's encoded and using cyberchef - which we can use to find it's the steg password (which btw stands for Steganography... which if I was smarter would have given me a red flag that this was encoded)

So now we need the other agent's name. What's interesting is when I googled what a steg password was, it came up with an article on medium about cracking a steg - this was menioned in the writeup too (steghide is often used to hide data inside of jpg files with a passphrase). So let's try it!

steghide extract -sf cute-alien.jpg
wrote extracted data to "message.txt"

when we cat out this new file we get both the username AND the password - suh-weet!

Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris

Now we can SSH in as james and get the goodies.

We also need to download that jpg file in there and do a reverse image search on it - as per the clue. I used tineye.com to do this, which let's you filter by domain - foxnews in this case.

Okay privilege escalation - something i ALWAYS have trouble with. I see they want a CVE that shows the vulnerability. Looking at the writeup, let's check the user account I have first and see which permissions he has.

Step 1 : whoami - am I root? = No

Step 2: id - what user groups am I in? = sudo

Step 3: sudo -l - list which things I can run as sudo? = (ALL, !root) /bin/bash

Now according to the writeup, we can literally put in a search for this sudo listing code followed by the word exploit to find out how to do this... so here goes:

Let's click the link and find out how to do it. If you've never used exploit-db.com before - it's AMAZING! It will literally give you either a script to run or walk you through how to take advantage. Let's do it.

OK so the above command (according to to exploit-db.com ) says that sudo (the command we're running) doesn't check for the existence of the specified user (in this case james') id and instead executes with the arbitrary user id (-u#-1 returns as 0, which is root's id) and launches /bin/bash (which is a type of linux shell - the command we're running as "sudo").

Wow, that was stupid easy AND we find out that