Open in app

Sign in

Write

Sign in

Agent Sudo -CTF Tryhackme-Walkthrough.

Akarsh K N
4 min readJun 21, 2021

TryHackMe | Agent Sudo

You found a secret server located under the deep sea. Your task is to hack inside the server and reveal the truth.

tryhackme.com

Hello Everyone! Welcome to the new blog in this blog we are going to cover step by step challenge of a box named Agent Sudo on tryhackme.

Before starting make sure that you are connected to the tryhackme VPN and machine is deployed successfully.

Target IP: 10.10.39.162

Host Ip: 10.9.178.153

Now start the nmap scan to find out the ports open and services running on the machine.

Command : nmap -sS -sV -sC -A -O 10.10.39.162

After enumerating for all the directories using gobuster we found nothing interesting.

As port 80 is open, on hitting browser we get a message indicating codename as user gent. Here Agent R in one.

So on using curl to find out valid user agent.

Command : curl -A “C” http://10.10.21.156 -L

Chris is one valid user. Now we will bruteforce to find the password of chris using hydra

Command: hydra -l chris -P /usr/share/wordlists/rockyou.txt 10.10.39.162 ftp

Now login to ftp. We found three file. Download all the files for further enumeration.

And we found a hint from the To_agentJ.txt that some data is embedded into others file.

While checking for the steganography we found one of file is protected with passphrase. Let’s crack the file password with stegseek and steghide.

We found the password after running stegseek. (cute-alien.jpg.out).

The password of james user is hackerrules!

On extracting other png image using binwalk we got bunch of files.

command : binwalk -e cutie.png

8702.ZIP file was password protected and To_agent R.txt was not accessible.

Using ssh2john and john cracked the hash for 8702.zip file.

On extracting using 7zip and reading the contents of To_agent R.txt gave the password Area51.

Now, let’s login to the james account using the password that we found in the file

We got the shell of james user.

While checking into the files we found our user flag.

User_flag.txt = b03d975e8c92a7c04146cfa7a5a313c7

while checking for the file, an image file we found which is related to the “ROSWELL ALIEN AUTOPSY” .

Let’s now check for the sudo list for the user james and we found that all the root user is password protected.

But this security can be bypassed. while checking over the internet we found a exploit in exploitDB named as “sudo 1.8.27 — Security Bypass”.

And we can easily bypass the sudo security by using the exploit “sudo -u#-1 /bin/bash”.

Let’s run the exploit and check for the current user.

we successfully got the root shell.

And we successfully validated our flag too.

Thank you all.

--

--

Akarsh K N

Written by Akarsh K N

4 Followers

Cybersecurity Red Team

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams